[progress]

I am using a cgi script that uploads photos and my version of Plesk is saving the uploaded files as 0600 instead of the standard 0644 causing a 403 forbidden error when I try to view the uploaded photo. I have to manually ftp in and change the perms which obviously is very tedious as the script is used alot. Plesk has said to add a chmod statement to my CGI script after upload but I cannot figure out where to do this. Attached is the segment of code for the upload, can someone please suggest where I should put the chmod statement?

#Begin Code Segment

if (($Image_Upload_1=~/\\/ || $Image_Upload_1=~/\:/) && $Image_Upload_1 !~/delete/i){
$containsimageImage_Upload_1=1;
#Get Unix time. Will constitute file name
if (!$tstamp){
$tstamp=time;}
else{
$tstamp++;}
@splitparts=split(/\./,$Image_Upload_1);
$parts=@splitparts;
$parts--;
$extension=lc($splitparts[$parts]);
if ($extension!~/gif|jpg|jpeg/i){
$problem="You are attempting to upload a file with an incorrect extension .$splitparts[$parts]. For security reasons, only image files .gif, .jpg, or .jpeg extensions can be uploaded.";
&security;
}
if ($Image_Upload_1=~/\.cgi|\.pl|\.exe/i){
$problem="You are attempting to upload a file that could be hazardous to the server.
Please make sure that you upload only files with .gif, .jpg, or .jpeg extensions. .pl or
.cgi can't make up any part of the filename you are uploading.";
&security;
}
$Imagemaximum=$Imagemaxz*1024;
$size=-1024;
$problem="Can't write the image to the directory . Make sure that
you have set the permissions for this directory so that it is writeable and that
you have specified a valid directory path.";
open (OUTFILE,">$Imageuploadpath$tstamp.$extension") || &security;
while ($bytesread=read($Image_Upload_1,$buffer,1024)) {
$size=$size+1024;
if ($size>$Imagemaximum){
$problem="You are attempting to upload a file that is too large. Please decrease
the size of the image and try again.";
close(OUTFILE);
unlink("$Imageuploadpath$tstamp.$extension");
&security;
}

#On Windows servers, uncomment the following line
#binmode(OUTFILE);

print OUTFILE $buffer;}
close(OUTFILE);


$Image_Upload_1checksize=-s "$Imageuploadpath$tstamp.$extension";
if ($Image_Upload_1checksize<5){
$problem="Unable to upload the image in field $Image_Upload_1. Your server configuration may not be
compatible with this feature or your browser was not able to find the file that you pointed it to.";
$imageerror=1;
}

if ($imageerror){
unlink("$Imageuploadpath$tstamp.$extension");
&security;}
$Image_Upload_1="$tstamp.$extension";
}

if ($Image_Upload_1=~/delete/i){
$Image_Upload_1="";
$Image_Upload_1delete=$query->param('Image_Upload_1b');
if ($Image_Upload_1delete){
unlink("$Imageuploadpath$Image_Upload_1delete");
}
}
elsif (!$containsimageImage_Upload_1 && $actiontotake=~/edit/i){
$Image_Upload_1=$query->param('Image_Upload_1b');}

[Chas]

Hi progress,

Please use the code /code blocks when you post code. It's much easier for people to read if it's formatted correctly.

Now for your problems. You should put the chmod after this bit of code:

Code:

    print OUTFILE $buffer;
  }
  close(OUTFILE);
  chmod 0644, "$Imageuploadpath$tstamp.$extension" or die "Unable to chmod: $!";

You also have another, more serious, problem in this bit of code:

Code:

if ($Image_Upload_1 = ~/delete/i) {
  $Image_Upload_1 = "";
  $Image_Upload_1delete = $query->param('Image_Upload_1b');
    
  if ($Image_Upload_1delete) {
    unlink("$Imageuploadpath$Image_Upload_1delete");
  }
}

You are not doing any taint checking on your user input. What happens if someone entered something like ../../../public_html/index.html (or something worse) into your form? Once an unscrupulous person figures out a good path they can start deleting all your files.

http://perldoc.perl.org/perlsec.html

~Charlie

[progress]

Thanks for the awesome reply! It worked and thanks for pointing out that glaring security flaw!!! I have my ISP working on fixing that as well!!!! MUCH THANKS