Our web-developers have a project that requires accepting file-uploads. What should I ensure is covered?

security web-server storage website upload

Solution 1:

You need to look out for:

  • Maximum file size. This can be done by the web developers in many cases.
  • Permissions. Do you want each user to have their own (virtual or real) folder that nobody else can see?
  • Do you want users to be able to delete files they have uploaded, or even see them? They should probably be able to verify what files they uploaded at the very least.
  • Do you want to enable users to download files as well as upload? This may be tricky to implement depending on your setup.
  • Make sure that the uploads folder does not allow them to go up the directory tree.
  • Will you limit files by extension or other criteria? You want to make sure you don't set up a "warez server" inadvertently. I know this is for logged in users, but any security can be broken in some way.

This is all I can think of at the moment to look out for.

Solution 2:

One big thing to watch out for is the max file size you want to allow. Make sure your server is configured to allow the upload of files big enough for your requirements.

Also, I highly recommend the target folder for the upload to be outside of your application's root folder structure.

Related

Is there a standard for running audio/video over CAT5/CAT5e UTP?
How do i change the max attachment size in exchange 2007?
How to authenticate TWiki against Windows Active Directory
Automated Windows Updates Software?
Creating a cronjob that runs at 3:00am, 3:50am, 9:00am, & 9:50am? [duplicate]
DRBD on a disk with existing file system that takes all the place
IP Address Trace
Importing a large SQL script into SQL Server?
Most common reasons for Remote Desktop not responding?
Deploying virtual machines - Windows Guest/Linux Host or vice versa?
Where is hgweb.cgi in the Mac OS X deployment of Mercurial?
UPS disposal