Multipart Form Submit Directly to an URL

Question

Hi,

We've a web-based application wherein there is an option for Users to upload documents / files into our database. Before uploading any document / file, we want to send the file for free online virus scanning offered by few websites like http://virusscan.jotti.org/en, get the scan status from them. Only if the response status is OK, it should be allowed to uploaded to our database.

I even tried a solution given in: lindaocta.com/?cat=20

My question here is:

1) How do I handle in my application to directly send the document / file to the free online virus scanner websites without downloading the document to my server.

2) Nowadays web applications are developed using AJAX, hence response can be progressively updated in the page. If I try to read the response returned from free online virus scanner website, it is not what I expected. How do I solve this kind of scenarios?

Technologies OS: RedHat Linux ES5.0 Java 1.6 JSP Servlets Tomcat v6.0.10

Answer 1

1) You would have to at least proxy the request through your server in order to have any chance at inspecting the virus scanner's response. If the client posts directly to the AV company, your servlet would be cut out of the loop, unless the the AV site offers some kind of token based 3rd party verification system. What is the free AV site?

2) Never handle any security business logic on the client (browser) side whether it be by AJAX or any other method. An attacker can simply modify the javascript and forge a positive response from the AV scanner site.

Why are you so scared of downloading the potentially unsafe file to your server? Just upload it to a special non-publicly browsable directory that you create (where no other program is looking for config files), scan it for viruses, and delete it if it doesn't pass. If you never try to execute it, and it's not overwriting some config file or kernel file or something, you've probably done enough.