“The most important safeguard is to keep uploaded files where they cannot be directly accessed by the users via a direct URL. This can be done either by storing uploaded files outside of the web root or configuring the web server to deny access to the uploads directory.
Another important security measure is to use system-generated file names instead of the names supplied by users when storing files on the file system. This will prevent local file inclusion attacks and also make any kind of file name manipulation by the user impossible”
I understand this, however – I am providing options for WordPress users to upload files to their image directory, so I can not do either of these afaik. The files need to go into the images directory, and be named a name of their choosing.
Here is what I am doing so far:
1) Only allowing files with names with one extension, and the extension must be from a trusted list.
2) Only allowing alphanumeric, spaces and underscores in the first part of the name and less than 30 chars.
3) Not allowing files with the name .htaccess to be uploaded
4) Only allowing admin access to the upload and using wp nonces
5) Checking mime type
6) Checking file size
Some questions I have are:
If I deny uploading any file named ‘.htaccess’ and am denying any file with .php extension, shouldn’t this prevent someone from upolading an image file with .php code embedded?
I understand that I can use php to copy images without malicious code, however I am planning to allow the upload of .ttf files and .css files as well.
I could scan those files with php for script question marks, etc. Is this advisable? If so what would I search for beyond this?
If I am only allowing admins access and am using nonces and the above methodology, how secure is my code and are their other things that I should be doing?
Any help is greatly appreciated!
I thought I would bump this – having a hard time finding much feedback here.
If you do a thorough scrubbing of file names, and only whitelist image, text and css files, what kind of security does that buy you.
Currently, I am uploading as a random name in a directory, scrubbing the name, one extension, whitelisted and re-saving in a public image directory. And only allowing access by wp admins.
You should disable PHP execution in the images directory. That would prevent a lot of the potential problems you’ve considered without having to worry about having missed some tricky filename construction. Add
php_flag engine off
to the apache configuration for that directory.Unless you really need them for some reason, you should also disable .htaccess files, at least in the images directory. Everything you can do in a .htaccess file can be done in an apache configuration file outside of any directory that might be writeable by the web server. See the AllowOverride directive.