Jump to content
Larry Ullman's Book Forums

Dealing With Malicious File Uploads


Jonathon
 Share

Recommended Posts

Hi Larry,

 

I wanted to get your opinion on how to deal with sites that upload and can share media of some kind. I've currently restricted users to only being able to upload certain types of files by mime-type as shown in the book.

 

I have the files stored in a protected directory. 

 

I then looked into virus protection, I've seen that you can use things like SiteLock that scan your systems. But I've also seem things like http://php-clamav.sourceforge.net/ that seem to scan the file as it's uploaded.

 

I haven't looked anymore into this yet. I just wondered what your perspective on this kind of thing is and how to combat it?

 

Thanks

 

Jonathon

Link to comment
Share on other sites

For optimum security, I would:

 

- Restrict the file upload by size

- Use Fileinfo to restrict the file upload by type

- Store the uploaded file outside of the web root directory

- Rename the uploaded file

 

I think that's reasonably secure for most uses. The use of ClamAV via PHP-ClamAV would be a nice additional layer, but you'll have to factor in the extra time required to do the virus scan on all uploaded files.

Link to comment
Share on other sites

Jonathon since you are talking about file uploads, can you tell me any Yii extension you would recommend or have had success with for doing this? I used the SWFUpload for loading up multiple pictures but i need to make an upload script for uploading a profile picture and need to use something else, otherwise i will have to try to configure SWFUpload to work for both situations which means doing a lot of extra coding.

Link to comment
Share on other sites

Yes that's cool but my site is not on the server yet, i was looking for something more with javascript features so the image was displayed on the screen once you uploaded it and you can remove it via javascript. The problem with the last script i wrote is that images have to be uploaded to the server and unused images have to be removed later on through a cron job or admin feature. You can't be sure that someone will use that picture that they have uploaded. On my site you can upload 100 pictures or more for an item if you really wanted to, they display on the screen and can be removed via the screen. And the picture's show up again at the point at which you are up to after a php form submission. I spend 6 weeks i think on that uploader part, but like i said the SWFUpload script was built only to handle that page and would take alot of additional coding to handling a single upload so i am looking for something more simple this time. Eh what the heck maybe i will try to make SWFUpload multitask, i guess may be its not that difficult.

Link to comment
Share on other sites

 Share

×
×
  • Create New...