The pitfalls of allowing file uploads on your website

by BogdanCalinon 5/20/2014, 6:21:47 PM with 8 comments
  • by ChuckMcMon 5/20/2014, 7:38:35 PM

    The bottom line is this, if users can upload something to your site, and then your site will show that thing to other users before you have a chance to figure out if its a problem, then your site will be exploited by bad actors.

    For a long time an out of the box server installation would include anonymous ftp access. Of course nothing is quite so attractive as a 'free' place to dump and retrieve stuff. It was kind of like setting up a warez/malware camera trap.

  • by tantaloron 5/20/2014, 6:41:45 PM

    Should clarify: "The pitfalls of hosting user-uploaded files on your website"

    Hosting user-uploaded files on a separate domain would probably solve this problem.

  • by callmeedon 5/20/2014, 8:47:00 PM

    Hold-on, doesn't using a

        Content-Disposition: attachment; filename=”image.jpg”
    header mean you can no longer display the image in your service? Won't browsers treat it as a file download? Most services that allow image uploads do so because the images will get displayed on a page? (that's what I do)

    Most services seem to be moving file uploads to S3 (or similar services) these days, so I'm not sure this advice is really helpful. To take that a step further, my preference now is to upload directly to S3 and bypass my app server altogether. At least in Rails, it's fairly easy to setup.

  • by tehwebguyon 5/20/2014, 11:28:04 PM

    A nice way to achieve this with Rails is to upload straight to S3 and then use Paperclip to get, verify and process the file.

    By uploading straight to S3 you also get a faster upload (than, say, Heroku) and server separation.

  • by staunchon 5/20/2014, 10:09:16 PM

    > So if you allow file uploads or printing arbitrary user data in your service, you should always verify the contents as well as sending a Content-Disposition header where applicable.

    The idea that you can "verify the contents" is pretty much just wrong. You actually have to parse the files and write out your own known-safe version. It's a real pain in the butt to do that correctly and securely across a wide variety of file types.

    Even parsing arbitrary user uploads with something like ImageMagick is probably exploitable, simply because those libraries weren't designed to handle hostile input.

  • by rebelon 5/21/2014, 12:49:35 AM

    So out of curiosity, what would be the easiest way to securely accept file uploads? Taking into account all of the possible malicious attacks.

  • by elchiefon 5/20/2014, 9:50:45 PM

    I'm pretty sure you can use Apache Tika to check the actual content type of a file too. Either way, I hate flash.

  • by tom_joneson 5/21/2014, 5:26:39 AM

    Nice post, just goes to show the value of properly validating uploads!