Uploading files

[Kemin Zhou <ke...@ferring.com>]

To the Developers,

I saw this in the documentation for Apache::Request

for file upload

       tempname [XXX- Does this mesh with brigade API?]
                                                                                        

       Provides the name of the spool file. This method is reserved for 
debugging
       purposes, and is possibly subject to change in a future version of
       Apache::Request.

 From a user's point view, this methods has to be available to the users 
and not removed in the future.
In many cases, I use external programs to provide services to my users 
(usually inside my firewall).
Many of the external program use files as inputs not as strings.  In 
this case I can simply feed the
external program with file uploaded.  If I don't have this tmp file 
available, then I have to create a
temp file somewhere.  This duplicates the effort.  I would prefer this 
methods to be stable.  Although
this method may needs some effort for security.

Kemin



**********************************************************************
Proprietary or confidential information belonging to Ferring Holding SA or to one of its affiliated companies may be contained in the message. If you are not the addressee indicated in this message (or responsible for the delivery of the message to such person), please do not copy or deliver this message to anyone. In such case, please destroy this message and notify the sender by reply e-mail. Please advise the sender immediately if you or your employer do not consent to e-mail for messages of this kind. Opinions, conclusions and other information in this message represent the opinion of the sender and do not necessarily represent or reflect the views and opinions of Ferring.
**********************************************************************


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: Uploading files

[Joe Schaefer <jo...@sunstarsys.com>]

Kemin Zhou <ke...@ferring.com> writes:

> Joe Schaefer wrote:

[...]

> >Despite my past grumblings to the contrary, I've added support for
> >tempname to httpd-apreq-2's current-cvs.

[...]

> Thanks for the help.  The tempname is not available in mp2.  

You misunderstood me.  When I read your article, I thought you
gave sufficient reasons as to why apreq2 should support tempname,
so I wrote an implementation and committed it *right then* to cvs.
Prior to your article tempname() was unimplemented in apreq2 (in fact 
it was *removed* from the documentation not more than a day or two 
prior to your post).

[...]

> I don't know how this is implemented.  I used to write my own file
> upload method.  Some of my web applications still use these methods.  
> It is very simple.  

That's all fine and dandy, but apreq2 is operating under more stringent
requirements.  There is a coercive effect when you implement your own
data parser: unless everyone else adopts your implementation, somebody
inevitably gets left out of the loop.

apreq2 imposes no adoption requirements on other modules. For instance
you can implement an auth handler with apreq2 that parses the post
data, which then decides to accept the request and hand it off to 
a cgi script.  The cgi script will still have the full POST data 
available for it to use/parse.

Or you can write a content handler that uses apreq2 which parses the
post data and then does an internal redirect to the proxy handler.  The
proxied server will still see the original POST data, without any extra
code by the content-handler author.

[...]

> Put more thoughts into uploads could benefit the future.

Thanks, we'll try.  In the meantime I've rolled another snapshot
of current-cvs that you're very welcome to try

  http://cvs.apache.org/~joes/libapreq2-2.04-dev.tar.gz

-- 
Joe Schaefer


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: Uploading files

[Kemin Zhou <ke...@ferring.com>]

Joe Schaefer wrote:

>Kemin Zhou <ke...@ferring.com> writes:
>
>  
>
>>To the Developers,
>>
>>I saw this in the documentation for Apache::Request
>>
>>for file upload
>>
>>       tempname [XXX- Does this mesh with brigade API?]
>>
>> Provides the name of the spool file. This method is reserved for
>> debugging purposes, and is possibly subject to change in a future
>> version of Apache::Request.
>>
>>>From a user's point view, this methods has to be available to the
>>users and not removed in the future.
>>    
>>
>
>[...]
>
>Despite my past grumblings to the contrary, I've added support for tempname
>to httpd-apreq-2's current-cvs.  I don't know what sort of security
>implications you are concerned about, but perhaps the best thing to do
>is simply not use tempname, instead using link() - and then delete the 
>linked file yourself once the external app is done with it.
>
>  
>
Joe,
Thanks for the help.  The tempname is not available in mp2.  There is 
another method that I found
 
slurp() it gave the content of the file and this method work fine for 
me.  The ->fh method is gone too.  While I was reading the
documents for link() I did not understand how to use it.  I will go back 
and read the doc again.

I don't know how this is implemented.  I used to write my own file 
upload method.  Some of my web applications
still use these methods.  It is very simple.  Nower days all the servers 
have huge amount of memory.  The
content can be read into a variable.  Somewhere in the configure file , 
or in the function call itself,
there should be a way to set the limit
for the size of the upload; to prevent an attacher to send you a GIG 
byte file.  Then the  programer can
write the content to a file. 

If the module puts the content of the upload into a file (temp hopefully),
and the programer is only interested in the name of the file, he/she 
does not have to read from the file
handle and put it into another file (duplicate effort).   If the 
programer is only interested interested in
the content of the file, writting the file to disk may reduce the 
performance.

Put more thoughts into uploads could benefit the future.

Kemin





**********************************************************************
Proprietary or confidential information belonging to Ferring Holding SA or to one of its affiliated companies may be contained in the message. If you are not the addressee indicated in this message (or responsible for the delivery of the message to such person), please do not copy or deliver this message to anyone. In such case, please destroy this message and notify the sender by reply e-mail. Please advise the sender immediately if you or your employer do not consent to e-mail for messages of this kind. Opinions, conclusions and other information in this message represent the opinion of the sender and do not necessarily represent or reflect the views and opinions of Ferring.
**********************************************************************


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: Uploading files

[Joe Schaefer <jo...@sunstarsys.com>]

Kemin Zhou <ke...@ferring.com> writes:

> To the Developers,
> 
> I saw this in the documentation for Apache::Request
> 
> for file upload
> 
>        tempname [XXX- Does this mesh with brigade API?]
>
>  Provides the name of the spool file. This method is reserved for
>  debugging purposes, and is possibly subject to change in a future
>  version of Apache::Request.
> 
> From a user's point view, this methods has to be available to the
> users and not removed in the future.

[...]

Despite my past grumblings to the contrary, I've added support for tempname
to httpd-apreq-2's current-cvs.  I don't know what sort of security
implications you are concerned about, but perhaps the best thing to do
is simply not use tempname, instead using link() - and then delete the 
linked file yourself once the external app is done with it.

-- 
Joe Schaefer


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html