I want to give users the option to upload one or more modest-sized files to my site which can then form part of their "personal" space. In principle all I want to do is what the Monastery does with Monk images. My question is, is this a security minefield or not?
So far as I can see, it's not. Because when I save the files from my CGI script, I can make sure they are chmod
to 555 or less. So this is just an inert file (of a defined maximum size, otherwise I didn't accept it) sitting on my hard drive.
If somebody else downloads it and then opens it, I can see that might give them trouble, and ideally I'd like to be able to disinfect the files when they arrive on my hard drive, for protection of others. But caveat emptor
is the bottom line, and my main aim is to be certain the files aren't going to do anything to me
. And I'm not quite certain.
Can any sibling monk think of a way to mess me up by uploading a file to my site under the conditions I've described?<
§ George Sherston