The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman (was: Does This Scare You?)
Chris Angelico
rosuav at gmail.com
Mon Aug 22 11:45:50 EDT 2016
On Tue, Aug 23, 2016 at 12:21 AM, Ben Finney <ben+python at benfinney.id.au> wrote:
>
> So yes, filenames from arbitrary sources should be *completely*
> untrusted, and never used to access any file on the system. Throw the
> entire filename away and make a filename locally, without using any part
> of the original name.
Oh, and I wish you could convince some other parts of the world about
this. When you mix file uploads with Apache+PHP web applications, you
basically get remote code execution right there. As sysadmin, I have
to constantly play whack-a-mole with stupid exploits that just
wouldn't happen if Joomla's web uploads followed this model.
Seriously, how hard is it for something that *already has a database*
to simply insert a row into jos_uploaded_files and then use that row's
ID eg "uploads/file_"+id as the file name? In one stroke, you
eliminate code execution (it can't be ".php" or any variant thereof),
collisions (two uploads with the same file name will get different
IDs), and even detritus from incomplete transactions (if you find
"uploads/file_12345" but there's no row with ID 12345, you can assume
the transaction got rolled back, and safely delete the file).
S'not that hard, folks. Be safe. Be smart.
ChrisA
More information about the Python-list
mailing list