• Welcome to Valhalla Legends Archive.
 

Security concerns with uploading files

Started by iago, January 26, 2004, 09:25 PM

Previous topic - Next topic

iago

If users are allowed to upload their own files, what do we have to be careful of?

So far, I'm filtering out everything except Letters, Numbers, underscores, periods, and dashes.  Is this safe?  Originally the code was filtering any pair of periods, like "te..st", but I don't see a problem with that if slashes aren't allowed.

Is this ok?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Grok

Regardless of what they named it, save it with a name you create randomly.  In this way, no matter what they upload, they won't ever be able to find it to execute it.  Say they upload ImATrojan.exe .... let them.  Save it as 8724JOGIJ495872 and on the page where they can download, present it to the user as "ImATrojan.exe" but the file it sends is "8724JOGIJ495872".  Follow?

j0k3r

Wouldn't it then be possible to right click on the link and find out what the file is actually called?
QuoteAnyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin
John Vo

Grok

To the downloader, it would be called ImATrojan.exe.  But on the server, it could be called anything you wanted.

iago

But the issue here is that the server is being designed to store files for them, and eventually they are going to be able to use it to make websites.  For uploading zip files (which are automatically extracted by the Java), I append the Date.getCurrentTimeInMillis() to the end, but generally they have to know the name.

I suppose, for security, it would be possible to rename the files, and have a hidden index file that maps the changed names to the real names... but I think that might be excessive?

The machine that files are being stored on is linux, and they will have only rw- access to it, so it won't get executed.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*