tags:

views:

132

answers:

4
Q: 

which type of files are forbidden to upload

I want to put a section in my site where people can upload things and I was wondering which type of files I should forbid for them to upload.

+1  A: 

Anything that could exploit your website or application, this would be php files (obviously), any sort of executable files, and illegal things you don't want to be liable for hosting.

I would implement a white list of file extensions you want to allow people to upload and check based on their Mime type and file extension and write a policy about what files can and cannot be uploaded to your site.

I would also store an IP address and other relevant data along with the file, just in case you need to block someone from using or abusing your system. It's a lot of work but letting users upload files to your site isn't something that should be taken lightly.

Sam152  2010-04-01 12:23:19
+3  A: 

You must not ask what type of files are forbidden (black-listing), but what types of files are allowed (white-listing).

So write down what files you want your users to upload and make sure that your app checks if the files are in the allowed format.

Primarily your list should not include:

  • PHP files or any other scripting language file
  • Executable files
rogeriopvl  2010-04-01 12:25:26
+3  A: 

This really depends on what you are going to do with the files. If you just store them, you could in theory accept even a collection of the world's worst computer viruses - as long as those files don't get executed.

As rogeriopvl suggests, better create a white-list of file types you want to allow.

Never rely on the MIME type that is sent with the browser. Always check the file type yourself, e.g. using getimagesize() if you want to allow only images.

A very good (but lengthy) discussion on the issue can be found here.

Pekka  2010-04-01 12:28:13
+2  A: 

Checking the extension of the uploaded file isn't even half the story. There are file name syntax problems, type sniffing problems, script/plugin origin problems and more to worry about.

Making a file bucket that doesn't compromise the application is hard and not something to be undertaken lightly. As a starting point, consider serving files from a different [sub]domain to the file management application, and don't use a user-submitted filename as the basis for a filename on the server's filesystem.

(Please read the discussion at Pekka's link.)

bobince  2010-04-01 12:45:30

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases