Secure and store uploads from malicious users and files

So I'm writing an app at the moment that will accept files from users. These files can be sent via upload, inbound email (through mandrill - but it basically 'posts' them to the server) and dropbox.

How can I ensure the security of the files, so that users cannot upload anything malicious? i.e. a .htaccess or .php file? Or an image that has code inside of it etc.

I need to allow for images, PDF and probably Excel and Word docs. I can reject the rest.

I'm thinking a 'whitelist' - but I'd be keen for security best practices on this.

bashy

11 years ago

Level 65

You can check with content types, if the image is an image (width, height). You can stop certain extensions and don't allow anything to execute in the upload folder. I've seen a lot of sites with weak upload scripts that only check the content-type, just test it yourself if you want to be 100% sure.

You can disable PHP executing in say /uploads so that someone can't execute a PHP file there (if they do get past the checks).

Here's loads of articles about it: https://www.google.co.uk/#q=upload+php+file+as+image+hack

Please or to participate in this conversation.