Securing Uploaded Files (php and html)

Question

I have a simple site which allows users to upload files (among other things obviously). I am teaching myself php/html as I go along.

Currently the site has the following traits: --When users register a folder is created in their name. --All files the user uploads are placed in that folder (with a time stamp added to the name to avoid any issues with duplicates). --When a file is uploaded information about it is stored in an SQL database.

simple stuff.

So, now my question is what steps do I need to take to:

• Prevent google from archiving the uploaded files.
• Prevent users from accessing the uploaded files unless they are logged in.
• Prevent users from uploading malicious files.

Notes:

I would assume that B, would automatically achieve A. I can restrict users to only uploading files with .doc and .docx extensions. Would this be enough to save against C? I would assume not.

Answer 1

There is a number of things you want to do, and your question is quite broad.

• For the Google indexing, you can work with the /robots.txt. You did not specify if you also want to apply ACL (Access Control List) to the files, so that might or might not be enough. Serving the files through a script might work, but you have to be very careful not to use include, require or similar things that might be tricked into executing code. You instead want to open the file, read it and serve it through File operations primitives.

• Read about "path traversal". You want to avoid that, both in upload and in download (if you serve the file somehow).

• The definition of "malicious files" is quite broad. Malicious for who? You could run an antivirus on the uplaod, for instance, if you are worried about your side being used to distribute malwares (you should). If you want to make sure that people can't harm the server, you have at the very least make sure they can only upload a bunch of filetypes. Checking extensions and mimetype is a beginning, but don't trust that (you can embed code in png and it's valid if it's included via include()). Then there is the problem of XSS, if users can upload HTML contents or stuff that gets interpreted as such. Make sure to serve a content-disposition header and a non-html content type.

That's a start, but as you said there is much more.

Answer 2

Your biggest threat is going to be if a person manages to upload a file with a .php extension (or some other extension that results in server side scripting/processing). Any code in the file runs on your server with whatever permissions the web server has (varies by configuration).

If the end result of the uploads is just that you want to be able to serve the files as downloads (rather than let someone view them directly in the browser), you'd be well off to store the downloads in a non web-accessible directory, and serve the files via a script that forces a download and doesn't attempt to execute anything regardless of the extension (see http://php.net/header).

This also makes it much easier to facilitate only allowing downloads if a person is logged in, whereas before, you would need some .htaccess magic to achieve this.

Answer 3

You should not upload to webserver-serving directories if you do not want the files to be available.

I suggest you use X-Sendfile, which is a header that instructs the server to send a file to the user. Your PHP script called 'fetch so-and-so file' would do whatever authentication you have in place (I assume you have something already) and then return the header. So long as the web server can access the file, it will then serve the file.

See this question: Using X-Sendfile with Apache/PHP