File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Prevent uploading executables Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Prevent uploading executables" Watch "Prevent uploading executables" New topic
Author

Prevent uploading executables

Joseph Sweet
Ranch Hand

Joined: Jan 29, 2005
Posts: 327
Hi to all,

My web app lets users upload files to the server.

Does anyone know how I can prevent a client from uploading executables to my server.

If I only check the file extension they still can load executables, if they cheat and change the extension to something like ".doc".

Also, somehow changing the extension does not prevent some applications (e.g. my browser) from understanding the original file type and dispalying it accordingly. For example, I uploaded a jpg file and wrote it to the server with the name "example.com", and when I accessed that file, my browser did show me the picture.

So is checking for extensions enough for preventing users from damaging my server???


We must know, we will know. -- David Hilbert
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

So is checking for extensions enough for preventing users from damaging my server???


The best way to prevent damage to your server is to make sure that the upload directory does not have executable permissions. As you've already mentioned it's not possible to verify the content by the extension or filename.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Joseph Sweet
Ranch Hand

Joined: Jan 29, 2005
Posts: 327
how could I set this...

it is not my localhost but a remote server. I think tomcat is installed on windows (not sure).

regarding scripting files (jsp, asp...) is it enough to change their extension in order to prevent people from running them on the server.
[ May 06, 2005: Message edited by: Joseph Sweet ]
D Rog
Ranch Hand

Joined: Feb 07, 2004
Posts: 472

Use the same trick, do not load any files in directory which used by servlet/JSP container as source of JSP and other scripts. In this case user will see just content of uploaded files.


Retire your iPod and start with HD Android music player Kamerton | Minimal J2EE container is here | Light weight full J2EE stack | and build tool | Co-author of "Windows programming in Turbo Pascal"
Joseph Sweet
Ranch Hand

Joined: Jan 29, 2005
Posts: 327


how can a user access files that are above my app root in the directory tree. i cannot write a valid url to those files. although they have a physical path on the server disk.

???
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

You would have to write a servlet that streams the files.
Joseph Sweet
Ranch Hand

Joined: Jan 29, 2005
Posts: 327
1. I am not sure i understand, you said one option is to make sure that the upload directory does not have executable permissions. i know how to do it on unix, i have never done it on windows. is it something i should ask the server admin to do for me?

2. now regarding the second option which is to put the uploaded files in a directory outside of the tomcat directory. does it prevent executable from running on the server or only prevent jsp files from running.

i can write a servlet that streams a file from a directory outside of tomcat to a client but i dont understand how putting it outside of tomcat prevents running it
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

1.) Yes, If you don't control the box and you want to have the permissions restricted on a particular directory, you would have to ask your hosting company to do this for you.

2.)
Even if it's a JSP file with a ".jsp" extension. A user can never run it if they can't hit it directly with a browser. The only access a user would have would be through the streaming servlet that you provide.
K Riaz
Ranch Hand

Joined: Jan 08, 2005
Posts: 375
Originally posted by Joseph Sweet:
if they cheat and change the extension to something like ".doc"


Nothing much you can do about that, its the oldest trick in the book.

Originally posted by Joseph Sweet:

Also, somehow changing the extension does not prevent some applications (e.g. my browser) from understanding the original file type and dispalying it accordingly. For example, I uploaded a jpg file and wrote it to the server with the name "example.com", and when I accessed that file, my browser did show me the picture.


My theory (correct me if I am wrong) is that the HTTP's content type meta tag is set to "image/jpg", so the browser will always render it as that.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Prevent uploading executables