Security Considerations On File Uploads

After researching a little bit around the web I came out with these kind of checklist whenever you may want to add File Upload to your project:

• Use POST instead of PUT method.
• First store your files on disk before upload to a database.
• Try to store these file on a folder different from the website tree and the system partition, and also restrict the execution right to that folder.
• If you have to store the files under the website tree, make sure they are on a different folder that your code.
• Scan the uploaded files for viruses.
• Validate the length of the request and restrict the file sizes, in order to skip potentially DOS attacks. On .Net always set the maxRequestLength and executionTimeout attributes of the element to avoid attacks (By default, this is set to 4096 kilobytes (KB)). Also limit the minimum size of the files.
• Use your own naming convention to store the files, that doesn't use the users file name.
• Validate the file type, extension, and mimetype[1] using whitelists. (check for double extensions), on client AND server.
• If you could, use an strict regular expression like: "[a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}" to validate file names.
• Don't overwrite existing files.
• Use Cross Site Request Forgery protection methods.
• Log user activity.

Must read

• https://www.owasp.org/index.php/Unrestricted_File_Upload

Other Resources

• http://joginipally.blogspot.com/2008/11/security-considerations-for-file-upload.html
• http://www.acunetix.com/websitesecurity/upload-forms-threat.htm
• http://blogs.msdn.com/b/ace_team/archive/2007/09/19/asp-net-file-upload-how-to-prevent-network-clogging.aspx
• http://msdn.microsoft.com/en-us/library/aa479405.aspx
• [1] http://www.webmaster-toolkit.com/mime-types.shtml