What are the suggested tips and tricks you have implemented in Grails to ensure the file uploaded via <input type="file" ....> in a publicly available websites are least harmful? I am thinking about using contenttype to ensure only the Word or PDF files are allowed to upload. But I am not sure how we can prevent the Word or PDF files with executable information to be uploaded? Is there any additional filtering we can use?
You can use e.g.:
<input type="file" maxlength="5242880" accept="application/pdf"/>
Inside the upload action you can use (ClamAV)to scan for viruses.
But this leads a further problem. If the uploaders renames any file to ".pdf" it can be uploaded too. Also contentType returns "application/pdf" even if the file isn't really one.
Solution:
You must read the first line of the document and check if it begins with "%PDF". If you open your PDF e.g. with Sublime Text Editor you can see it.
Related
So i have this ASP.Net app and i want to allow the client to have the option to download an xlsx file, im using the HttpContext.Response to set the Content Type "application/xlsx" and the Content-Disposition sets the file name with the extension .xlsx, the download works correctly.
if I change the file name to .pdf then the file is downloaded as a pdf, when I checked the developer tool network response the Content Type was "application/xlsx" and in another test I change the name fileto .png and the file was downloaded as an image (it did not work, but it was shown as an image)
So what is the content type supposed to do, does it bring some sort of security how do i make sure that the user can only downloads the file associated to the content type?
Im using response.BinaryWrite()
A content type indicates what type of content is being transmitted over http regardless of the content name. For example as you already have tested, you can transmit a pdf file naming it as a .png file.
It is the browser or the operating system that is representing a file with the name .png as an image to you. Another software would treat a pdf file with .png name as a pdf file.
The name of the file matters after the download is complete. But the software that is handling the download (in this case a web browser) actually may need to know the original media type. And you might want to write client side codes that would need to know what type of file is being transferred from the server regardless of the file name.
in am using ace:fileEntry component to upload a pdf file. my problem i dont know how to change the filename while uploading the document. The file gets uploaded with the originalfilename.I know that if i set useOriginalFilename=false, it would have a unique name, but I want that the file uploaded in the file system should have the custom filename which i want to pass.
My xhtml code is as below
<ace:fileEntry id="file-entry" label="Attachment"
absolutePath="STR_UPLOADED_FILES"
maxFileCount="1"
maxFileCountMessage="Limited to 1 files uploaded concurrently."
fileEntryListener="#{strformbean.fileuploadListener}"
maxFileSize="6291456"
maxFileSizeMessage="Submitted file is too large.Max size allowed is 6MB"
maxTotalSize="6291456"
maxTotalSizeMessage="Total size of submitted files is too large."
required="false"
requiredMessage="The file is required to submit this form."
useOriginalFilename="true"
useSessionSubdir="false" />
You sound like as if you expected that the temporary storage location of uploaded files is usable as a permanent storage location of uploaded files and you thus don't need to touch it. This is wrong! The location where uploaded files will initially end up is really temporary in order to save server memory usage. It will be cleaned at intervals or startup/shutdown.
In the listener method, you should be obtaining the content of the uploaded file yourself as InputStream or byte[] which you should write to the permanent storage location. During this step you have all the freedom to specify your own filename.
See also this closely related question about PrimeFaces <p:fileUpload> (whose sourcecode ICEfaces has for the major part stolen copypasted redistributed) Where is the p:fileUpload uploaded file saved and how do I change it? for a detailed answer how to deal with it properly.
I'd like to allow user to select a directory (in which I parse some text files) and store the result(List<File>) in a PERSISTENT storage on the same client so that when the user returns, there is no need to select the same directory again.
During the session selecting the directory (via <input webkitdirectory="..." />) and then accessing the directory and parsing the file already works fine, but I've no idea on what kind of data I shall save in order to retrieve it later. I've tried by using window.webkitResolveLocalFileSystemURL() but wasn't successful so far... any idea?
Ok, so you're using something like:
<input type="file" id="file-input" webkitdirectory="" directory="">
This lets the user upload a directory. Roughly speaking, here's the code to get the list of files uploaded:
query("#file-input").on.change.add((e) {
print(e.target.files);
});
It sounds like you already figured that part out.
Really, you just get a list of files. I looked at e.target, and I don't think there's anything in there related to the directory itself. For instance, I don't see anything about the directory name, and it's not as if you suddenly have write access to that directory. You also can't upload files from that directory the next time the user loads the page without him selecting the directory again.
However, what you can do is upload files from that directory and save a copy of those files locally using local file storage.
See also:
"Using the HTML5 Filesystem API" p. 20-21
https://github.com/dart-lang/dart-html5-samples/tree/master/web/file
How do I use Google Chrome 11's Upload Folder feature in my own code?
By the way, I know I wasn't able to achieve exactly what you wanted, but if you approve of my answer, please accept it. My boss promised to buy me a puppy if I answer 100 questions on Stack Overflow ;)
I want prevent users from uploading shell (exploit) on my host. I remember fckeditor, had few bugs that allowed a hacker uploads files on server. Is there a similar issue with ckeditor?
How trust to users files and make sure they aren’t fake files, for example: a hacker can edit inside a pdf files -> file have pdf extension and type but has malicious code.
Is using htmlencode,htmldecode enough for XSS attack?
CKEditor doesn't include any file upload, you have to add that part.
Again, CKEditor doesn't have that part. They sell CKFinder to fill that role and it has some checks to verify that the uploaded file is safe, but you must be very careful about which users do you allow to upload files to your server.
No. If you're using a WYSIWYG editor you are not going to htmlencode the provided data, and other basic tricks aren't also enough. You need a full check like HTMLPurifier
I have a upload text file field, and with it I plan to save the file somewhere and then store the location of the file in a database. However, I want to make sure the file they uploaded is a .txt file, and not, say, an image file. I imagine this happens in the validation step. How does one validate such a thing? Also, how do you get the filename of the uploaded file? I could always just check if it said '.txt' but for future reference knowing how to validate without just the filename would be helpful.
Trying to validate the contents of a file based on the filename extension is opening the door for major hackerdom. It's trivial to change the extension and upload the file.
If you are on a Mac/Linux/Unix-based system the OS "file" command is the standard because it looks inside the file for key bytes that flag file types. http://en.wikipedia.org/wiki/File_(Unix) I'm not sure what's available for Windows, but this might help: Determine file type in Ruby
One way of doing it, the simple way really, would be to pass the file through an image loader, preferably one that handles multiple common formats, and see if it throws an error.
The other way is to manually check the file header for common image format headers. For example, .bmp files start with BM. Other formats have their own specific markings you can use.