Safe File Extensions

Question

I'm working on an online file manager as part of a website running on a LAMP stack. What are some file extensions I should disallow for uploaded files? ".php" is an obvious one.

checking on file extension does not 100% work, user can upload php script with any sort of extension other than php — ajreal, Jan 03 '11 at 01:57

Kirk Strobeck · Answer 1 · 2016-09-04T18:22:48.953

6

I would go about it the other way. Only spec files that you ALLOW to be posted. otherwise there can be any variety of file types that you didn't consider and that can be very hazardous. Consider your "disallow PHP", did you also consider ".php5" or ".phps" ? It's much better to take a few minutes and compile a list of the specific types you WILL allow. This take a bit of front-loading, but in the end will likely save you a major headache.

edited Sep 04 '16 at 18:22

answered Jan 03 '11 at 01:56

Kirk Strobeck

17,984
20
75
114

2

nonsense, any user still can upload a php script by forging a fake extension – ajreal Jan 03 '11 at 02:24
4

How would a php script with a fake extension be executed by apache? – EricP Jan 03 '11 at 03:16

score 5 · Accepted Answer · edited May 23 '17 at 12:22

I think you'd be better off configuring Apache so it won't even try to run scripts from the upload directory. Then it doesn't matter if someone uploads a .php file -- if someone else browses to that file, the server will serve it up just like any .gif or .jpg, rather than trying to run it on the server -- i.e., the user will just get a .php file downloaded to their computer.

(Note that I'm nothing of an Apache expert, so I don't know exactly what configuration changes you have to make to disable script execution -- but it should be easy to look at your config file, see what's already turned on for your main directory, and reverse it for your uploads directory.)

You might also need to watch out for the GIFAR exploit.

score 0 · Answer 3 · answered Jan 03 '11 at 02:23

Don't forget .html files, too.

Not only do you need to disallow users from executing files that they have uploaded, you also need to severely restrict the serving of user uploaded HTML. Someone can subvert your login and authentication with some javascript. Even though it isn't executed on your server, if it's served from your domain, it can be risky.

You should never execute any user uploaded file, nor should you serve it back.

This could be mitigated by serving the files from a separate domain, so it can't access your cookies. — Joe White, Jan 03 '11 at 15:23

score -2 · Answer 4 · answered Aug 05 '11 at 21:21

Apache also allows for decentralized management of configuration via special files placed inside the web tree. The files are usually called .htaccess, but you can use any name in the AccessFileName directive. Directives placed in .htaccess files apply to the directory where you place the file, and all sub-directories. The .htaccess files follow the same syntax as the main configuration files. Since .htaccess files are read on every request, changes made in these files take immediate effect.

Please have a look at [How to Answer](http://stackoverflow.com/questions/how-to-answer). — Serge Belov, Nov 15 '12 at 08:16

Safe File Extensions

4 Answers4