I am going to have a file upload feature in my rails app. I know about
file_column, I need something more custom.
The server will be cgi/fcgi on apache on linux.
The feature will be in a password protected area.
I am going to use absolute file paths everywhere.
Files will be stored outside of public_html.
Files will be chmod as 600 (only read/write by owner)
I will validate: file size (min/max), file name, file type
a) Is there anything else I should be checking?
For security, I prefer to define what is allowed, then handle the
special cases.
For example, for filenames:
Only allow: “a-z”, “A-Z”, “0-9”, “.”, " ", “-”, “_”
Then deny: all files with leading periods, file name too long/short,…
This app will be also used by people in other countries (France, Spain,
Turkey, Morocco, Vietnam,…).
b) What is a good “allow” list (beyond a-z, A-Z, 0-9) for file names?
c) Where can I find a good list of valid/invalid characters for most
file systems?
d) Are there any characters specific to Ruby/Rails I need to watch out
for?
There are so many different file extensions, I really don’t want to
limit my users any more than I need to. I just want to keep my server
and app safe.
e) Should I create a monster allow list, or just a deny list?
f) Is it better to validate against mime type or extension or both?
g) If I disable cgi and php via .htaccess for the upload folders and all
files are chmod 600 (not executable), do I even need to worry about file
types?
h) What file types do I need to watch out for (.htaccess,php,cgi,…)?
i) once again, anything else I am over looking?