Forcing MIME types to secure uploads directory

Forum Moderators: phranque

Message Too Old, No Replies

Forcing MIME types to secure uploads directory

I'm trying to secure an uploads directory by forcing file types

MickeyRoush

12:38 pm on Mar 16, 2012 (gmt 0)

I'm not sure if this is even possible. It's just an idea that I thought up. I'd like to force all file types that go into an upload directory to plain text (for security reasons), than whitelist the file types that are available.

Does this sound doable?

Here is what I've come up with:

# Force all files to text/plain, than whitelist the required
<FilesMatch "\.[a-zA-Z]+">
ForceType text/plain
</FilesMatch>

# Allowable MIME-types (whitelisting)
<FilesMatch "\.[Jj][Pp][Ee]?[Gg]$">
ForceType image/jpeg
</FilesMatch>
<FilesMatch "\.[Pp][Nn][Gg]$">
ForceType image/png
</FilesMatch>
<FilesMatch "\.[Gg][Ii][Ff]$">
ForceType image/gif
</FilesMatch>
<FilesMatch "\.[Pp][Dd][Ff]$">
ForceType application/pdf
</FilesMatch>
<FilesMatch "\.[Gg][Zz]$">
ForceType application/x-gzip
</FilesMatch>

Any ideas or alternatives would be greatly appreciated.

phranque

12:40 pm on Mar 17, 2012 (gmt 0)

typically those whitelisted filetypes will already be specified in the configuration - usually using the mod_mime directives TypesConfig and AddType or the core directive DefaultType.

i would suggest renaming the non-whitelisted filetypes to .txt in the upload script.
that way your default mime type for the .txt file type will be in effect and if your visitors downloads and saves the file it still has "text file" behavior, retaining your sense of security.