File upload & viruses / security

Forum Moderators: coopster

Message Too Old, No Replies

File upload & viruses / security

How safe is it?

bluedalmatian

12:57 am on Mar 25, 2005 (gmt 0)

How safe is it to allow users to upload text files & images to the server?

Should I have a virus checker scan all uploads?

By the way I typically use Linux servers, or some form of Unix anyway, if that bares any significance.

Thanks
AW

jatar_k

1:59 am on Mar 26, 2005 (gmt 0)

I think part of it in this instance is who are the people who are uploading? Is there any level of trust or are they just random users from wherever?

none of those should be executable types, so that helps.

bluedalmatian

10:41 pm on Mar 27, 2005 (gmt 0)

no they're just random unknown visitors

wrightee

11:34 pm on Mar 27, 2005 (gmt 0)

A few things to make it safer:

- Set the permissions of the upload directory to be as restrictive as possible
- Don't upload to a web accessible dir; upload to a 'sandbox' directory so you can do as many checks as you need to on the files before moving them to their final destination
- $filename=preg_replace("/[^a-z0-9_-]/","_",$filename) or similar before copying
- Make their final destination directory non executable by anyone if possible