How can I prevent people from uploading harmful files to my website?

Question

In short, I have a webpage which allows people to upload a file to my website and then displays a link to whatever they've uploaded.

The uploaded allows any file type to be uploaded, and stores it in a public folder named 'uploads'.

I can foresee a lot of security risks posed by this. For example, if the user uploads a HTML file, it is rendered as a webpage when opened - they could have redirects to viruses in this, etc.

I want the site to be as open as possible - and I like the fact that the uploader allows users to add webpages to my site. However, I need it to be safe and secure for users (and me).

How can I make the site as open as possible (allowing users as much freedom as possible) without being vulnerable to hackers?

Answer 1

There are multiple things you need to consider, select which ever suits your software needs:

1. Don't allow those files which are executables like html, php, cgi
2. If you allow those files to be uploaded then in that directory stop any script execution (this would be done through .htaccess) If you wish to allow html then stop any server side scripts like PHP.
3. Instead of giving direct links to those files. Send the file through your server like from PHP header disposition. In this way the file will be sent as download and the attacker won't have direct link to the file so he can not execute it.