CGI and temFileName -- uploading files

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I have an internal app working on Windows with Apache that munges data
files and generates reports. It runs inside our firewall, and only
four people have access. We had a number of these kinds of apps to do
and limited time, so I took the easy way out (always dangerous, hence
this post) and used the CGI method tmpFileName() to grab the upload
file(s), open them, and write the data to memory. The upload files are
deleted when the script exits, which is fine as we don't need to save
them on the server.

The apps don't have any security at all other than restriction to four
users internal to our local network, and they are in the offices down
the hall so they are certainly within shouting distance if not
grabbing distance. I am aware that Bad Things can happen with file
uploads but am not concerned in general because we are not attached to
the outside world (no external access to the network).

Here's the question: is there anything extremely dangerous in doing
things this way, in view of the fact that we control the server, the
data, the users, and the interface?

When I say 'this way' what I mean is that our data file(s) are
uploaded via an HTML file form upload widget, I capture the OS name
with tmpFileName, use that as a file handle to open and read the
contents of the file, close the file, and write the reports to the
local file system BEFORE THE CGI SCRIPT EXITS! I don't want to save a
local copy of the input files on the server, and it was easier to do
it this way rather than writing to a local file, then munging the
local file before deleting it.

Thanks, CC.

Site Timeline