From: Keith Roberts (listskar.eclipse.co.uk)
Date: Fri Mar 12 2004 - 10:06:06 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To Ralf Ronneburger, Tom Knight.

On Fri, 12 Mar 2004, Ralf Ronneburger wrote:

> you don't need to put max_file_size into the form, that can be fooled
> much easier. Better is to put some quota on the dir so nobody uploads
> you your 1MB jpeg until the disk is full. You could also check the size
> of the upload-folder in you php-script.

I shall write a php function to check for a minimal amount
of disk space on the partition before copying the file(s)
there.

QUOTE PHP MANUAL
----------------------------------------

float diskfreespace (string directory)

Given a string containing a directory, this function will
return the number of bytes available on the corresponding
filesystem or disk partition.

UNQUOTE PHP MANUAL
----------------------------------------

> About viruses - I'd not worry about it too much. If someone uploads a
> virus for you then the webserver will in no way execute that file. And
> you will probably not do a chmod +x *.jpg ;-). Just be sure to have the
> right file-permissions.

I shall make sure that the file permissions are NOT set to
'x' on any uploaded files.

> I'm quite sure you could also check if the file
> is really a jpeg or not and reject it if it is not, ImageMagick or GDLib
> will do such things for you.

I shall look into this too.

From: Tom Knight <thomas.knightahds.ac.uk>
Subject: RE: [suse-security] HTTP File Uploads

In addition to this you could use a separate partition
for this sort of data. If you want to get anal you could
mount this partition noexec...?

I do have a seperate 3Gig partition for /tmp, so space
should not really be a problem at the moment.

For now upload file are kept in a /tmp sub-dir.

I may need to copy the jpg files to another partition, apart
from /tmp.

Probably check the integrity of the uploaded files in the
seperate directory. If they pass the checks, move them into
the database partiton - This is so the photos will be backed
up when I backup the databases.

> (I don't know what you're intending to do with these
> files).

My site is an online mutual exchange register. I'm working
on allowing registered users to be able to upload photos of
their properties. When another user searches the site, they
can ask for the photos of interesting exchange properties to
be displayed.

It's a free community based website for King's Lynn,
Norfolk, UK, that I work on in my spare time.

Thanks for your comments.

Kind Regards Keith Roberts.

www.karsites.net

PS - would anyone like to try some XSS attacks against my
site? Please email me first before doing so.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]