File and image upload security considerations and best practices
Many web sites offer the ability to upload files. Whether it's a simple
JPG for an avatar, or a larger image for a photo gallery or perhaps an
arbitrary file for a file cabinet type application there are several
security considerations you need to take into account and some best
practices for dealing with them. Here's a partial list of some of the
steps you should take if you are implementing this capability on your
own site.
Don't put the files within your normal web site directory structure.
Remove all path information from the uploaded file. In particular,
never let the user specify which directory on the server the file is
going to go in by, for example allowing relative paths to be
specified.
Don't use the original file name the user gave you, store it in your
database if you need it, but use a generated file name for the file
on disk, e.g. use a Guid as the file name. (You can add a content
disposition header with the original file name for downloads but the
path and file name on the server shouldn't be something the user can
influence).
Don't trust image files - resize them and offer only the resized
version for subsequent download. Some images can contain corrupted
metadata that has in the past been able to attack vulnerabilities in
some image manipulation software. Creating a clean, well-formed
image file defends against this.
Don't trust mime types or file extensions, examine the file headers
or open the file and manipulate it to make sure it's what it claims
to be.
