Forum: Ruby on Rails File Upload and Security advice

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Eecd295cdec2454c66e2015036a39408?d=identicon&s=25 scott (Guest)
on 2006-01-29 23:13
I am going to have a file upload feature in my rails app. I know about
file_column, I need something more custom.

The server will be cgi/fcgi on apache on linux.

The feature will be in a password protected area.
I am going to use absolute file paths everywhere.
Files will be stored outside of public_html.
Files will be chmod as 600 (only read/write by owner)

I will validate: file size (min/max), file name, file type

a) Is there anything else I should be checking?

For security, I prefer to define what is allowed, then handle the
special cases.
For example, for filenames:
Only allow: "a-z", "A-Z", "0-9", ".", " ", "-", "_"
Then deny: all files with leading periods, file name too long/short,...

This app will be also used by people in other countries (France, Spain,
Turkey, Morocco, Vietnam,...).
b) What is a good "allow" list (beyond a-z, A-Z, 0-9) for file names?
c) Where can I find a good list of valid/invalid characters for most
file systems?
d) Are there any characters specific to Ruby/Rails I need to watch out
for?

There are so many different file extensions, I really don't want to
limit my users any more than I need to. I just want to keep my server
and app safe.
e) Should I create a monster allow list, or just a deny list?
f) Is it better to validate against mime type or extension or both?
g) If I disable cgi and php via .htaccess for the upload folders and all
files are chmod 600 (not executable), do I even need to worry about file
types?
h) What file types do I need to watch out for (.htaccess,php,cgi,...)?

i) once again, anything else I am over looking?
This topic is locked and can not be replied to.