Wednesday, May 13, 2009

HTML Form File Upload

This is a good tutorial that makes it pretty easy to create a file upload form when using a Jetty web server:

Jetty File Upload

Basically you can just copy and paste the code and have a working file upload page in minutes.

The caveat here (as is true with any code snippet that is easy to copy and paste off the web) is that you're going to want to wrap all this in some kind of security rather than open up your web server to uploading files from anywhere on the Internet.

Additionally you'll probably want to limit the directories that can be accessed and make the directories where the files are uploaded to be non-executable and probably read only after the file is created as well.

You will want to make this form available only over SSL to help prevent files from being altered in transit and make sure your web server only uses secure SSL algorithms. You may trust your customers that are uploading files but what about all the servers those files pass through en route to your web server?

Another option would be limiting access to file upload to people on your VPN and/or restrict to certain IP Addresses.

File uploads should also be checked for viruses and malware. Making them non-executable is a good first step, assuming someone cannot hack your server and escalate privileges in such a way they can give themselves rights to change that user account to allow execution of the files. Checking to see that the files are only limited file types such as .jpgs or .gifs is helpful, however search Google for "jpg malware" or "gif malware" and you'll find plenty of examples of jpgs and gifs that have been altered to create a malicious file that can take over a machine or cause other problems.

The user on the system that is responsible for performing the file upload should also have limited rights on the system.

Of course with any web form you'll want to prevent insertion of special characters that can be used for code injection, etc. All requests should be scrubbed for potentially dangerous content.

Another thing I noticed about this code is that they are simply suppressing certain errors and warnings and sending some exceptions back to the screen. A better approach would be to catch and log all errors - including the IP address and request information when the error occurs - so you can see if someone is trying to hack your server an upload malicious content.

Just a few suggestions and I'm sure there's more that can be done to secure this simple example form.

Tiny url back to this page: http://tinyurl.com/secureforms

More on File Upload Security