"Bad" file extensions that should be avoided on a file upload site?

views:

answers:

+2 Q:

"Bad" file extensions that should be avoided on a file upload site?

Im re-writing a file hosting site, and I want to have the ability to host every single file type (instead of just having a whilelist of allowed extensions).

Im running nginx and linux. Site is built in php. I'd disable th upload of .php files.... but other than that.... is there anything else I should watch out for?

+4 A:

A cleaner maneer to solve the problem would be to setup a subhost (something like files.somewhere.com) or a directory, and disable execution via a .htacess (Users will be able to upload php script, but the server will send it instead of executing it).

William Briand 2010-08-28 23:08:39

Can this be done in nginx?

Yegor 2010-08-28 23:33:06

The best way here is a combination of:

Disable execution in your upload dir.
Rename all files that you suspect: PHP, SH, BIN, etc or store all files compressed in ZIP/TAR files.
Use an antivirus (Dr. Web, ClamAV, etc) on the server and scan files regularly.

Omar 2010-08-29 00:00:34

ansaurus

tags:

views:

answers:

"Bad" file extensions that should be avoided on a file upload site?

related questions