Sanitizing Uploads

[Elven6]

I was working on some PHP code and realized uploads poised a risk to the CMS. Security has never been my strong point when coding but I hope to change that now so please bear with my "noviceness".

Originally I thought of placing a .htaccess file in all upload directories turning off the PHP engine so if some malicious file was uploaded in any of those directories, nothing could happen.

I also came across a tutorial to sanitize using PHP code, which would be the preferred method to proceed? I assume the .htaccess version would be recommended since the other could lead to difficulties depending on hosts?

 

[qbert220]

I would recommending avoiding setting 777 access on your directories. My preferred approach is to use suphp (in which case your PHP script runs as the account owner, not as the apache user). If this is not an option, you could keep your uploads in a directory which is in the apache group and allow group write access.

You can try disabling scripts however, your server may be configured for more than one scripting language. If a new one is added to your apache config file, then you may have a security problem. Keeping your upload directory outside of your main web space can be used to avoid this problem. Files can't be retrieved directly from a URL. They would have to be fetched via a script. You can then use a rewrite rule to execute the script, and read the file contents and return it. The advantage of this is that there is no possibility of apache executing a malicious upload.

You can also do some checking on the filename/filesize at upload time. For example, if you only allow images, restrict uploads to known image extensions (.png, .gif, .jpg, .jpeg etc).

 

[beaver6813]

As qbert said the best method is to make sure you upload directory is not in directory accessible from the web, this stops people from easily running their own scripts on your server. When uploading rename them as well, store the locations in a database, this helps to stop someone who has uploaded something to their server knowing where it is!

 

[Elven6]

Thanks for all the input,

I didn't think about the image rename thing, I've seen a few CMS's that do rename the images but never thought it was to serve security purposes!

I should have explained earlier, this is a public script so if I do implement upload restrictions I guess making them configurable would be best? At the same time, wouldn't turning the PHP engine off in user upload folders also work?

 

[beaver6813]

Thanks for all the input,

I didn't think about the image rename thing, I've seen a few CMS's that do rename the images but never thought it was to serve security purposes!

I should have explained earlier, this is a public script so if I do implement upload restrictions I guess making them configurable would be best? At the same time, wouldn't turning the PHP engine off in user upload folders also work?

You could turn the PHP engine off but then what if they upload a different kind of script, perl, bash etc, if they can access it from the browser they can effectively run anything on your server. It'd be a lot harder to turn off every possible script that the server can run.

 

[Elven6]

You could turn the PHP engine off but then what if they upload a different kind of script, perl, bash etc, if they can access it from the browser they can effectively run anything on your server. It'd be a lot harder to turn off every possible script that the server can run.

Thanks for the input, never thought of it like that. I guess I can still include the file after factoring all of the other things as well. Nothing is every 100% after all but it doesn't hurt trying to get close enough! :p