I am going to have a file upload feature in my rails app. I know about file_column, I need something more custom. The server will be cgi/fcgi on apache on linux. The feature will be in a password protected area. I am going to use absolute file paths everywhere. Files will be stored outside of public_html. Files will be chmod as 600 (only read/write by owner) I will validate: file size (min/max), file name, file type a) Is there anything else I should be checking? For security, I prefer to define what is allowed, then handle the special cases. For example, for filenames: Only allow: "a-z", "A-Z", "0-9", ".", " ", "-", "_" Then deny: all files with leading periods, file name too long/short,... This app will be also used by people in other countries (France, Spain, Turkey, Morocco, Vietnam,...). b) What is a good "allow" list (beyond a-z, A-Z, 0-9) for file names? c) Where can I find a good list of valid/invalid characters for most file systems? d) Are there any characters specific to Ruby/Rails I need to watch out for? There are so many different file extensions, I really don't want to limit my users any more than I need to. I just want to keep my server and app safe. e) Should I create a monster allow list, or just a deny list? f) Is it better to validate against mime type or extension or both? g) If I disable cgi and php via .htaccess for the upload folders and all files are chmod 600 (not executable), do I even need to worry about file types? h) What file types do I need to watch out for (.htaccess,php,cgi,...)? i) once again, anything else I am over looking?
on 2006-01-30 00:13