Re: File Upload security

by "Lauri Vain" <optima(at)hot.ee>

 Date:  Mon, 16 Apr 2001 20:27:35 +0300
 To:  <shawn(at)sportsstuff.com>,
"html list" <hwg-basics(at)mail.hwg.org>
 References:  sportsstuff
  todo: View Thread, Original
Hi Shawn,

> from their hard drive.  I'm just going to use the input
> type="file" form element to allow users to send me
> pictures.  I'll be making a CGI script to process the form
...
> loophole that one could use to upload viruses onto the
> server or something like that?

Technically one *could* upload a virus but it doesn't really matter because
nothing (and I mean *nothing*) will happen to the server as the virus (should
somebody choose to upload one) won't be executed by the server. According to
some reports viruses don't spread on *nix systems (Linux, Unix -- your server is
likely to run a brand of one of them) anyhow -- can't confirm that because I
haven't tested running viruses on *nix systems myself. Somebody else on this
list will probably know access issues better.

Back to the point -- as I understand, you want visitors to be able to upload
images. There is one thing I would recommend you to protect against. People
could try to upload files other than images or just too many images to waste
your bandwidth and use up your server space. I, personally, would implement a
verification (in case the upload form is open for public) to check whether the
uploaded file really is an image (checking the extension and file type). If the
file isn't an image then delete it from the server and don't insert it to a
database.


Once again -- you don't have to worry about viruses nor trojan horses nor worms
nor anything else like that. The most important point you should address while
writing the script is excessive use of the upload form with the intent of
wasting your servers resources.

If you have any questions, feel free to mail the list (hwg-languages and
hwg-techniques would probably be a better choice) or contact me for any further
information you need.

Yours,
Lauri

HTML: hwg-basics mailing list archives, maintained by Webmasters @ IWA