| Author | Message | Time |
|---|---|---|
| iago | If users are allowed to upload their own files, what do we have to be careful of? So far, I'm filtering out everything except Letters, Numbers, underscores, periods, and dashes. Is this safe? Originally the code was filtering any pair of periods, like "te..st", but I don't see a problem with that if slashes aren't allowed. Is this ok? | January 27, 2004, 3:25 AM |
| Grok | Regardless of what they named it, save it with a name you create randomly. In this way, no matter what they upload, they won't ever be able to find it to execute it. Say they upload ImATrojan.exe .... let them. Save it as 8724JOGIJ495872 and on the page where they can download, present it to the user as "ImATrojan.exe" but the file it sends is "8724JOGIJ495872". Follow? | January 27, 2004, 4:17 AM |
| j0k3r | Wouldn't it then be possible to right click on the link and find out what the file is actually called? | January 27, 2004, 4:27 AM |
| Grok | To the downloader, it would be called ImATrojan.exe. But on the server, it could be called anything you wanted. | January 27, 2004, 4:51 AM |
| iago | But the issue here is that the server is being designed to store files for them, and eventually they are going to be able to use it to make websites. For uploading zip files (which are automatically extracted by the Java), I append the Date.getCurrentTimeInMillis() to the end, but generally they have to know the name. I suppose, for security, it would be possible to rename the files, and have a hidden index file that maps the changed names to the real names... but I think that might be excessive? The machine that files are being stored on is linux, and they will have only rw- access to it, so it won't get executed. | January 27, 2004, 2:11 PM |