The target web application is using ASP.NET 3.5 technology but I'm more interested in the intent of the list of checks to enforce on the server.
The following list is my initial thoughts, is there a better checklist out there? Are any of these thoughts misguided?
- Limit file size at an HTTP infrastructure level.
- Anti-virus.
- Only allow supported file types (jpeg, png) by inspecting format. Do not rely on extension or HTTP headers.
- Generate internal file name rather than relying on the one provided.
- Approval process before allowing files to be accessed / displayed.
- Store file / image in a sandbox before it is approved, especially if the file references do not require authentication.
- Process file / image to a standard format and discard the original. Any legal implications of doing this?
Any guidance on implementing the checks would be appreciated, especially the anti-virus and image format checks. This is not a Webforms application so server side solutions (i.e. do not require Server Controls) are needed.
I've changed the title to use the words upload files instead of profile images to try and get focus on the intent of the questions. Thanks to cletus for the great suggestion of re-defining the requirement!