Is Perl better suited for uploading?

Storyman

At the risk of banishment I would like to know if Perl is better suited for what I want to do.

Having spent time going over PHP security issues for uploading image files, I decided to ask my hosting company if they have an opinion on the subject.

Their response was:

PHP upload is a major problem because of security holes... Our servers attempt to control all uploads to tmp folder with a lot of restriction... We recommend you to use Perl for file upload. PHP is good, but honestly not in file upload. More than 90% of our site is written in PHP, but all system related scripts are in Perl, because Perl does much better when you want to do something at the low level.

What do you think? Is Perl the better path to follow when it comes to 'low level' functions?

BTW they also have ImageMagick and PerlImageMagick installed. According to the documentation it looks like this app will resize the image as well as offer other image manipulations. Anyone use ImageMagick (version 5.5.1.3)? What do you think of the program?

AstroTeg

Perl has been around for some time so a lot of the kinks and security issues have been worked out by now (of course, not counting any security leaks introduced by the Perl scripter).

PHP had some serious issues with file uploading some time ago. Part of the problem was having register_globals enabled. You could spoof the global variable data with your own and tell PHP to work with a different file then the one uploaded. Another problem was related to buffer overflowing. There may be some other issues, but these were the ones that stood out (and these were problems back in 2000-2002).

Check out what google has to say:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=php+upload+file+security+issues&btnG=Google+Search

Global variable issue:
http://www.security.nnov.ru/search/document.asp?docid=630

MIME encoding issue:
http://security.e-matters.de/advisories/012002.html

Storyman

AstroTeg,

I take it that you concur with my web hosting's assessment that Perl is better suited in this situation.

Thanks for the links. They are helpful.

Moonglobe

i wouldnt take it that he meant that. he clearly stated that those problems were back in '01-'02. this is 2004. i think he meant that all or most problems are resolved in 4.3.4.

Storyman

Moonglobe,

It is a matter of interpretation. AstroTeg wrote:

There may be some other issues, but these were the ones that stood out (and these were problems back in 2000-2002).

I took it to mean that these issues have existed for some time and continue to exist. It isn't clear why you think that the problems have been resolved. You could be right about this, I just need clarification.

Everything I've read about using PHP for uploading indicates that security issues persist. It's possible that what you say is spot on and the articles I'm reading refer to older versions. I just haven't seen anything that indicates that the situation has changed. If you know of a site I'd appreciate a link.

Since my web hosting has not taken the measures necessary to increase the security level (because of the problems in doing so that are outlined in the articles that AstoTeg links) it would seem that for many of us PHP lovers that PHP remains a risky endeaver when it comes to uploading files. I'd prefer to use PHP, but I need to have confidence that it isn't opening the door to those with rat brain transplants.

Frankly, I don't know enough to disagree with you, so please help me understand.

Moonglobe

well while he did state that there may still be issues, the ones you refered to were most likely resolved. at least that's what i got from it. but we'll have to see what AstroTeg thinks he said, wont we? 😉

AstroTeg

I kind of left it open to interpretation. My take on it is:

Perl is always an option. It can definitely do the job.

PHP had issues in the past. What could be patched were patched (MIME handling buffer overflow). The register_globals was kind of a bigger issue since the web coder actually had to change their way of form processing. I believe now the default is for register_globals to be disabled. Although I still run across scripts that were meant for register_globals to be enabled. Its the web coder's responsibility to determine how this impacts their server's security.

I feel pretty safe using PHP for file uploading (and if the site is entirely in PHP, might as well make the file uploading done in PHP as well - it'll be easier to revisit later on). Just try to understand as best as you can what's involved with uploading a file and what PHP and your script will do. Then spend a moment thinking about what could go wrong if funky data was some how inserted (either as a file but more importantly if you do some tricks with directories and file names). With file uploading, it can be easy for a web coder to make a simple mistake which could create a hole for someone to take advantage of. But you have this with Perl as well.

Storyman

AstroTeg,

Thanks for clearing things up.