/    Sign up×
Community /Pin to ProfileBookmark

File upload security question

Copy linkTweet thisAlerts:
Mar 31.2010

Hi guys,

One quick question about file uploads and security.

I’m running MacOSX Server.
From what I understand, the file is first sent to the tmp folder, you then need to move the file to another folder with move_uploaded_file() in order for it to actually be stored on the server.
If move_uploaded_file() isn’t executed the file is erased.

My program handles CSV files only. I don’t plan to store the file on my server. I just want to open it and store it’s contentas on a database.
I’ll be doing file type and size validations. From what I understand, tmp folders don’t have execution privileges, so I’m assuming I don’t need to chmod the uploaded file.

My question is, is there anything else I should validate to prevent a potential virus threat with the scenario I just described?

Thanks

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@NogDogApr 01.2010 — Since you do not actually execute the uploaded file, only read bytes from it line by line (e.g. via fgetcsv()), I don't think viruses should be an issue, especially if you are deleting it once you're done with it.
Copy linkTweet thisAlerts:
@MindzaiApr 01.2010 — I don't know about OSX, but on my Linux box files in /tmp are executable by the owner (the web server in this case). If you are on a shared host - I'm guessing not as I can't see why any hosting company would use OSX server ? (I've had the misfortune!) - then someone could write a script to execute an uploaded file from /tmp, but then they have direct access to /tmp anyway so that wouldn't make much sense. As the file will never be in a web-accessible location, and you are presumably just using fgetcsv and not executing the files youself, you should be fine. However if you want to be extra cautious you could manually delete the file as soon as you are done with it rather than waiting for the OS to clear /tmp.
Copy linkTweet thisAlerts:
@mavalos88authorApr 01.2010 — Thank you guys so much for your input!
×

Success!

Help @mavalos88 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...