My application allows users to upload files. What precautions should I take?
File uploads can be a risk, if files are uploaded to a directory that has execute/script permissions. Then, an adversary can upload a malicious script or executable. When that gets executed (by invoking it remotely, say), it can cause damage.
Here're two precautions to take:
- Store the files in a private space that's not accessible to a
user directly from the web. For eg, store the files in a database.
- If the files are stored in the file system, then do not give write or execute permissions in that folder.