http://www.perlmonks.org?node_id=130024


in reply to Security issues when allowing file upload via CGI

The only major issues I see with it are: (a) making sure that quotas on the system are maintained, (b) permissions issues, and (c) potentials for liability for downloaded content. I am assuming there would also be a need for an authentication system to permit only users on the system to upload.

Quotas: You need to test that the files uploaded fall under the user's quota. I saw a system once that datafiles created by a CGI were owned by the user the webserver ran as, which resulted in them not appearing properly in the user's quota. You also will want to make sure that the user (and group, on systems with that feature) they show up in are correct, and have quotas in place, to prevent someone from filling the site or group's quota, or in the worst case, the partition or drive itself.

Permissions issues: On a *nix system, 644 would likely be the better permission to use. (For reference, the first place in the number is the permissions for the owner, the next for the group, the last for others on the system, and the value is the sum of the permissions, where 4 is read permission, 2 is write permission, and 1 is execute permission.) On other systems, permissions should be set so the uploaded data is not executable on the server. IF you are allowing users to upload CGI scripts, then that will be a special case, needing EXTREME care.

Download issues: Others above in this thread have made cases regarding when others download the content, so I will not repeat poorly their comments. Issue is, though, that any website can wittingly or unwittingly contain harmful content (which partially depends on your definition of "harmful"), and all you can reasonably be expected to do is try to make it more difficult for someone to post something intentionally.

In my own experience (which may or may not prove applicable to you), I had to set up a system for submitting files to a site that would notify the site owner of the submission. My solution was to have the uploads go to directory that was readily visible from the site, rename the file and set it non-executable, owned by the site owner's user/group, and send the site owner a link to the file, along with the name the submitter suggested. Beyond that, as a coder, I could only advise the site owner to use caution in dealing with the files.

Something else you may wish to look into, which I have heard of but never tried, is loading the content into, and pulling it from, a database. Of course, this is only if that would be appropriate for said content, and as always, YMMV.