Upload v2.6

Upload is a cgi-bin program that can be used to upload one or more files to a WWW server, using standard HTML forms. It uses the http protocol, so there is no need for an FTP server. The program works with Netscape 3.0 or higher, Internet Explorer 4.0 or higher, and any other browser that supports RFC 1867.

  • User-friendly upload through forms
  • Upload with browser only, no FTP or plugins needed
  • Powerful configuration options
  • Upload without userid/password
  • Standard cgi-bin application (binary)
  • Unix and Windows 98/NT/2000
  • Free!

PHP

If your webserver supports the PHP scripting language then you should really use it instead of this “Upload” program, it’s much more flexible. To get you started here’s a  *  PHP example (“upload.zip”, 1Kb). It basically does all the same things as “Upload”, but in just a few lines of code! For more information about PHP see  *  the PHP website.

Warning

Many people want to use this program to build a section on their website where visitors can upload images (or other stuff) that immediately become “visible” on their website. The following form of abuse then becomes possible. A hacker packs some illegal software into a zip file, renames it into gif or jpg, uploads it to your server, and then places the URL of the “image” on a bulletin board. People start downloading it like there’s no tomorrow, and you have to pay the bill for extra traffic. You should only use this Upload program for closed area’s on your website, not public area’s!

Download and Install

The Upload program is written in standard ANSI-C. To use the program you must have cgi-bin capability on your server. If you cannot run standard cgi-bin binaries on your webserver then you cannot use the Upload program. If the webserver is running Unix then you will need access to a C compiler.

Download

 *  Download Upload-2.6.tar.gz for Unix webservers (8Kb)
 *  Download Upload-2.6.zip for Windows 98/NT/2000 webservers (45Kb)

Install

  1. Place the program on your webserver.
    • Unix:
      1. Edit the Makefile and change the “BINDIR” setting. It is unlikely that you’ll have to change anything else.
      2. Run “make”.
      3. Run “make install”. This will copy the program to the BINDIR and set an s-bit on the program.
    • Windows 98/NT/2000:
      Copy the “upload.exe” program to a folder on your webserver that has “Execute Permissions” for “Scripts and Executables”. A good location on the default server is: C:InetpubwwwrootScriptsupload.exe
  2. Copy the example configuration file “upload.cfg” to the same directory as the “upload.exe” program. Use an editor to change the content of the configuration file (see elsewhere on this page for an explanation of the configuration file).
  3. Copy the three html files from the distribution’s “html” directory to your webserver. The exact location doesn’t matter. Change the files as needed:
    index.html
    The html to upload a file. Make sure that the “action” points to your location of the “upload.exe” program, probably “/cgi-bin/upload.exe” (Unix) or “/Scripts/upload.exe” (Windows).
    OkPage.html
    The page that will be displayed after a succesful upload. Make sure the “OkPage” setting in the configuration file points to this file on your harddisk.
    BadPage.html
    The page that will be displayed when something is wrong. Make sure the “BadPage” setting in the configuration file points to this file on your harddisk.
  4. Ready. You may now test the program by opening the “index.html” form in a browser. The program will automatically create the upload directory with the appropriate permissions, you don’t have to create it by hand.

Using

Upload is used by adding a form to your html page. Here is an example which you can cut and paste:

 


 

 

 

<form action=”/cgi-bin/upload.exe” enctype=”multipart/form-data” method=post>
<input type=file name=Whatever>
<input type=submit value=Upload>
</form>

The “action” of this form points to the Upload program in your cgi-bin directory. The program will receive the form and store the file (or files) on disk. You can specify more than one “<input type=file name=Whatever>” fields in the form, to upload more than one file with one form. The “Whatever” field can be anything you like.

You can specify some extra hidden fields containing parameters:

 

Config Name of the configuration to use. You can specify more than one configuration in the configuration file. For example: <input type=hidden name=config value=Jeroen>
FileName Filename to use to store the file in. The default is the original filename (the filename with which the file is stored on the computer of the user that is uploading the file). With the “FileName” field you can override this. For example:<input type=hidden name=FileName value=”new.txt”>

The fields are interpreted sequentially from first to last, so you must specify the FileName parameter before the file itself.

Good:

    • <form action=”/cgi-bin/upload.exe” enctype=”multipart/form-data” method=post>
    • <input type=hidden name=FileName value=”new.txt”>
    • <input type=file name=Whatever>
    • <input type=submit value=Upload>
    </form>

Bad:

    • <form action=”/cgi-bin/upload.exe” enctype=”multipart/form-data” method=post>
    • <input type=file name=Whatever>
    • <input type=hidden name=FileName value=”new.txt”>

Too late!

    • <input type=submit value=Upload>
    </form>
OkPage The file to display if the upload was succesful. OkUrl will overrule the OkPage setting, so you can use either OkPage or OkUrl, but not both. For example:<input type=hidden name=OkPage value=”d:docsuploadok.html”>

There are three special tags you can use in your page:

  • Files uploaded: <insert filecount>
  • Bytes uploaded: <insert bytecount>
  • Filename of the last file uploaded: <insert lastfilename>
OkUrl The URL to jump to if the upload was succesful. OkUrl will overrule the OkPage setting, so you can use either OkPage or OkUrl, but not both. For example: <input type=hidden name=OkUrl value=”http://www.kessels.com/upload/ok.html”>
BadPage The file to display if the upload was not succesful. The file should contain a special tag “<insert message>” somewhere, which will be replaced by an error message. BadUrl will overrule the BadPage setting, so you can use either BadPage or BadUrl, but not both. For example: <input type=hidden name=BadPage value=”d:docsuploaderror.html”>
BadUrl The URL to jump to if the upload was not succesful. BadUrl will overrule the BadPage setting, so you can use either BadPage or BadUrl, but not both. For example: <input type=hidden name=BadUrl value=”http://www.kessels.com/upload/error.html”>

 

Configuration file

The Upload program has a configuration file called “upload.cfg”. It must be stored in the same directory as the program itself (the cgi-bin directory) or in one of the directories in the path. The configuration file looks like this:

 

Config          = Default
  Root          = d:incoming
  FileMask      = *
  IgnoreSubdirs = YES
  Overwrite     = YES
  LogFile       = d:logsupload.log
  OkPage        = d:docsuploadOkPage.html
  BadPage       = d:docsuploadBadPage.html
  Debug         = 0
Config          = Jeroen
  Root          = d:jeroen
  IgnoreSubdirs = NO
  OkPage        = d:jeroenuploadOkPage.html
  BadPage       = d:jeroenuploadBadPage.html

 

This example contains two configurations: the default and a configuration called “Jeroen”. The default configuration defines all settings possible. The “Jeroen” configuration changes a few of the default settings.The following settings are possible in the configuration file:

 

Config Name of the configuration. You can select a configuration in the form with a hidden field named “config”. The very first configuration in the file is always used as the default configuration, whatever it’s name. For example: config = Jeroen
Root The root directory where all uploaded files will be stored. For example:Root = d:/upload/

Warning: do not configure a directory inside the webserver’s document tree (where your html and images are). See the “Warning” paragraph at the top of this page for more information.

FileMask Only files that match the FileMask will be accepted. The mask can contain ‘*’ (any characters) or ‘?’ (any character). The FileMask is compared with the full pathname of the file, including directory. For example:FileMask = *.gif

Warning: the mask is not a content filter. It only applies to the name of the file, not the content.

IgnoreSubDirs If this parameter is “YES” then all subdirectories are stripped from incoming filenames, so that only the filename is left. If this parameter is “NO” then the complete incoming filename is appended to the Root. Please note that if the user is working on a PC that the incoming filename will include a drive designation (“c:autoexec.bat”), which is not stripped. For example:IgnoreSubDirs = NO

Warning: if this setting is ‘NO’ then it is possible to break out of the root by using ‘..’ in the incoming filename, making it possible to overwrite any file on your server. Only use ‘NO’ if you have protected the program by userid/password.

Overwrite If this parameter is “NO” then uploads are refused for those files that already exist. If this parameter is “YES” then existing files can be replaced. If this parameter is “MUST” then files can only be uploaded if they already exist. For example: OverWrite = YES
LogFile The filename (including directories) of the file where logging information will be stored. Each upload will cause a line to be appended to the log. If the LogFile is not specified then no logging information will be written. For example: LogFile = d:logsupload.log
OkPage The file to display if the upload was succesful. OkUrl will overrule the OkPage setting, so you can use either OkPage or OkUrl, but not both. For example:OkPage = d:docsuploadok.html

There are three special tags you can use in your page:

  • Files uploaded: <insert filecount>
  • Bytes uploaded: <insert bytecount>
  • Filename of the last file uploaded: <insert lastfilename>
OkUrl The URL to jump to if the upload was succesful. OkUrl will overrule the OkPage setting, so you can use either OkPage or OkUrl, but not both. For example: OkUrl = http://www.kessels.com/upload/ok.html
BadPage The file to display if the upload was not succesful. The file should contain a special tag “<insert message>” somewhere, which will be replaced by an error message. BadUrl will overrule the BadPage setting, so you can use either BadPage or BadUrl, but not both. For example: BadPage = d:docsuploaderror.html
BadUrl The URL to jump to if the upload was not succesful. BadUrl will overrule the BadPage setting, so you can use either BadPage or BadUrl, but not both. For example: BadUrl = http://www.kessels.com/upload/error.html
Debug If not-zero then show a debug screen. For example: Debug = 1

 

Tricks

Starting a program after an upload
You can specify a cgi-bin script as “OkUrl”, or you can use the “OkPage” to start such a script. It can do all the processing you need, such as starting a program, and you can show specific results to the user.