Handy little file upload script
You might have tried to make a file upload script with PHP at some time, and then tried to upload very large files. As in a gig or so. PHP doesn't like that.
If there's any PHP at all on your webserver.
One thing that just about always works, is CGI, and bash, or at least sh.
So here's a little bit of HTML for the form, and the shellscript that you stick in your cgi-bin dir.
upload/index.html:
And here is cgi-bin/upload.sh
#!/usr/bin/bash
echo Content-Type: text/plain
echo
read LINE
read LINE
read LINE
read LINE
read LINE
read LINE
FILENAME=`echo $LINE | sed 's/^.*filename="//' | sed 's/".$//'`
cat | tail -n +3 | head -n -1 | head -c -2 > /data/uploads/tmp.$$.$FILENAME
echo `ls -l /data/uploads/tmp.$$.$FILENAME`
It works, but you can doubt the security of it. I haven't put much thought into that yet. If security is an issue, take out the FILENAME= line and take off the $FILENAME vars from the next 2 lines.
Enjoy.
Update: wasabi pointed out that the only security risk he saw was spaces and as I suspected, he was right. Putting quotes around the filename stuff is enough to counter that though. So here's the updated upload.sh:
#!/usr/bin/bash
echo Content-Type: text/plain
echo
read LINE
read LINE
read LINE
read LINE
read LINE
read LINE
FILENAME=`echo $LINE | sed 's/^.*filename="//' | sed 's/".$//'`
cat | tail -n +3 | head -n -1 | head -c -2 > "/data/uploads/tmp.$$.$FILENAME"
echo `ls -l "/data/uploads/tmp.$$.$FILENAME"`
If there's any PHP at all on your webserver.
One thing that just about always works, is CGI, and bash, or at least sh.
So here's a little bit of HTML for the form, and the shellscript that you stick in your cgi-bin dir.
upload/index.html:
And here is cgi-bin/upload.sh
#!/usr/bin/bash
echo Content-Type: text/plain
echo
read LINE
read LINE
read LINE
read LINE
read LINE
read LINE
FILENAME=`echo $LINE | sed 's/^.*filename="//' | sed 's/".$//'`
cat | tail -n +3 | head -n -1 | head -c -2 > /data/uploads/tmp.$$.$FILENAME
echo `ls -l /data/uploads/tmp.$$.$FILENAME`
It works, but you can doubt the security of it. I haven't put much thought into that yet. If security is an issue, take out the FILENAME= line and take off the $FILENAME vars from the next 2 lines.
Enjoy.
Update: wasabi pointed out that the only security risk he saw was spaces and as I suspected, he was right. Putting quotes around the filename stuff is enough to counter that though. So here's the updated upload.sh:
#!/usr/bin/bash
echo Content-Type: text/plain
echo
read LINE
read LINE
read LINE
read LINE
read LINE
read LINE
FILENAME=`echo $LINE | sed 's/^.*filename="//' | sed 's/".$//'`
cat | tail -n +3 | head -n -1 | head -c -2 > "/data/uploads/tmp.$$.$FILENAME"
echo `ls -l "/data/uploads/tmp.$$.$FILENAME"`