File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Prevent uploading executables

 
Joseph Sweet
Ranch Hand
Posts: 327
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to all,

My web app lets users upload files to the server.

Does anyone know how I can prevent a client from uploading executables to my server.

If I only check the file extension they still can load executables, if they cheat and change the extension to something like ".doc".

Also, somehow changing the extension does not prevent some applications (e.g. my browser) from understanding the original file type and dispalying it accordingly. For example, I uploaded a jpg file and wrote it to the server with the name "example.com", and when I accessed that file, my browser did show me the picture.

So is checking for extensions enough for preventing users from damaging my server???
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So is checking for extensions enough for preventing users from damaging my server???


The best way to prevent damage to your server is to make sure that the upload directory does not have executable permissions. As you've already mentioned it's not possible to verify the content by the extension or filename.
 
Joseph Sweet
Ranch Hand
Posts: 327
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how could I set this...

it is not my localhost but a remote server. I think tomcat is installed on windows (not sure).

regarding scripting files (jsp, asp...) is it enough to change their extension in order to prevent people from running them on the server.
[ May 06, 2005: Message edited by: Joseph Sweet ]
 
D Rog
Ranch Hand
Posts: 472
Linux Objective C Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use the same trick, do not load any files in directory which used by servlet/JSP container as source of JSP and other scripts. In this case user will see just content of uploaded files.
 
Joseph Sweet
Ranch Hand
Posts: 327
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


how can a user access files that are above my app root in the directory tree. i cannot write a valid url to those files. although they have a physical path on the server disk.

???
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You would have to write a servlet that streams the files.
 
Joseph Sweet
Ranch Hand
Posts: 327
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. I am not sure i understand, you said one option is to make sure that the upload directory does not have executable permissions. i know how to do it on unix, i have never done it on windows. is it something i should ask the server admin to do for me?

2. now regarding the second option which is to put the uploaded files in a directory outside of the tomcat directory. does it prevent executable from running on the server or only prevent jsp files from running.

i can write a servlet that streams a file from a directory outside of tomcat to a client but i dont understand how putting it outside of tomcat prevents running it
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1.) Yes, If you don't control the box and you want to have the permissions restricted on a particular directory, you would have to ask your hosting company to do this for you.

2.)
Even if it's a JSP file with a ".jsp" extension. A user can never run it if they can't hit it directly with a browser. The only access a user would have would be through the streaming servlet that you provide.
 
K Riaz
Ranch Hand
Posts: 375
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Joseph Sweet:
if they cheat and change the extension to something like ".doc"


Nothing much you can do about that, its the oldest trick in the book.

Originally posted by Joseph Sweet:

Also, somehow changing the extension does not prevent some applications (e.g. my browser) from understanding the original file type and dispalying it accordingly. For example, I uploaded a jpg file and wrote it to the server with the name "example.com", and when I accessed that file, my browser did show me the picture.


My theory (correct me if I am wrong) is that the HTTP's content type meta tag is set to "image/jpg", so the browser will always render it as that.
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic