EnokViking's avatar

Requests - file uploads & security

Hello!

I have a small issue with file uploads. It's not that it doesn't work, I'm just not sure if what I'm doing is bad practice or not. I'm also under the impression that just checking for the mimetype is a very thin layer of security since it can easily be faked.

Anyways, when a user submits a file to the server, it is validated by the validator (mimetype, max filesize, that kind of stuff)

Then I check the file extension just to make sure that the folder don't get bloated with image files that has a random extension. I should probably extend the validator class and add my own rule for this, though.

Then I move & rename the file using the Storage facade, since I'll be switching to Amazon S3 later.

The name is generated like this btw, if you wonder: md5(time())

I also store the filename in a table, along with other things such as a title(this is also submitted by the user ofc) and the original filename, mimetype etc.

To access the file I have a subdomain that points to storage/content, rather than the public folder.

So, for instance, you visit static.mydomain.io/filename.jpg to see the file. Directory listing is disabled and I tried to make a .htaccess that only allows you to access files with the extensions: .jpg, .jpeg, .gif, .png, .webm and .mp4 but with no luck. I don't know if it gets ignored because there's a .htaccess in the root directory or if there can only be one or if I just suck at .htaccess.

order allow,deny
<Files ~ "\.(jpg|jpeg|png|gif|webm|mp4|shtml)$">
   allow from all
</Files>

I put shtml there because a 404.shtml gets generated by the webserver in that directory but it doesn't matter because the config doesn't work for me.

Any tips for an aspiring web developer when it comes to managing file uploads? Do/Dont/Absolutely dont?

0 likes
4 replies
bashy's avatar

Probably wouldn't use md5(time()) alone since two or more could have the same name?

You're right, checking the mimetype is not secure. You want to check mime, extension, getimagesize() (for images) and make sure your configuration for executing php files is correct. I can't say if yours is or what the correct code is to do it since it's different per install/setup. Examples of exploits are using double extension exploit: .php.jpg will be executed as PHP if you have it setup a certain way.

1 like
EnokViking's avatar

Hey, thank's for the quick response!

Alright, I'll change the name of the files in some other way and also use getimagesize() on images.

The .htaccess seems to work now too, which is great. I didn't do anything to it though so I guess it just needed some time.

I tried uploading a .txt via ftp and it just won't let me and neither will it let me view an existing .txt in that folder so it seems to be working correctly now.

bashy's avatar

The main issue is uploading files that can execute as PHP. How your web server software deals with checking if the requested file is a PHP file is where most fail to protect themselves against exploits. Most of the time it's \.php$ { php fastcgi stuff }

EnokViking's avatar

You lost me there, a little bit. What does that line do? As of right now I'm on a shared host while developing, the web server is LiteSpeed, btw.

I've read up on a couple of articles now and reprocessing images seems to be generally good practice. I have zero experience with this though. Would imagick be a good way to tackle that part, or are there better alternatives that you know of? Feels like a very big library since I probably only want to reprocess the image. Maybe resize it.

Please or to participate in this conversation.