• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
  • Bear Bibeault
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Piet Souris
  • salvin francis
  • Stephan van Hulst
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Jj Roberts

Prevent uploading executables

 
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to all,

My web app lets users upload files to the server.

Does anyone know how I can prevent a client from uploading executables to my server.

If I only check the file extension they still can load executables, if they cheat and change the extension to something like ".doc".

Also, somehow changing the extension does not prevent some applications (e.g. my browser) from understanding the original file type and dispalying it accordingly. For example, I uploaded a jpg file and wrote it to the server with the name "example.com", and when I accessed that file, my browser did show me the picture.

So is checking for extensions enough for preventing users from damaging my server???
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

So is checking for extensions enough for preventing users from damaging my server???



The best way to prevent damage to your server is to make sure that the upload directory does not have executable permissions. As you've already mentioned it's not possible to verify the content by the extension or filename.
 
Joseph Sweet
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how could I set this...

it is not my localhost but a remote server. I think tomcat is installed on windows (not sure).

regarding scripting files (jsp, asp...) is it enough to change their extension in order to prevent people from running them on the server.
[ May 06, 2005: Message edited by: Joseph Sweet ]
 
Ranch Hand
Posts: 472
Objective C Ubuntu Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use the same trick, do not load any files in directory which used by servlet/JSP container as source of JSP and other scripts. In this case user will see just content of uploaded files.
 
Joseph Sweet
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


how can a user access files that are above my app root in the directory tree. i cannot write a valid url to those files. although they have a physical path on the server disk.

???
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You would have to write a servlet that streams the files.
 
Joseph Sweet
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. I am not sure i understand, you said one option is to make sure that the upload directory does not have executable permissions. i know how to do it on unix, i have never done it on windows. is it something i should ask the server admin to do for me?

2. now regarding the second option which is to put the uploaded files in a directory outside of the tomcat directory. does it prevent executable from running on the server or only prevent jsp files from running.

i can write a servlet that streams a file from a directory outside of tomcat to a client but i dont understand how putting it outside of tomcat prevents running it
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1.) Yes, If you don't control the box and you want to have the permissions restricted on a particular directory, you would have to ask your hosting company to do this for you.

2.)
Even if it's a JSP file with a ".jsp" extension. A user can never run it if they can't hit it directly with a browser. The only access a user would have would be through the streaming servlet that you provide.
 
Ranch Hand
Posts: 375
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Joseph Sweet:
if they cheat and change the extension to something like ".doc"



Nothing much you can do about that, its the oldest trick in the book.

Originally posted by Joseph Sweet:

Also, somehow changing the extension does not prevent some applications (e.g. my browser) from understanding the original file type and dispalying it accordingly. For example, I uploaded a jpg file and wrote it to the server with the name "example.com", and when I accessed that file, my browser did show me the picture.



My theory (correct me if I am wrong) is that the HTTP's content type meta tag is set to "image/jpg", so the browser will always render it as that.
 
ice is for people that are not already cool. Chill with this tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic