safely uploading files to web sites

Russell Fulton r.fulton at auckland.ac.nz
Thu Aug 21 03:38:11 GMT 2003


And now to something totally different ;-)

Our web management group are looking at developing something using
ColdFusion to upload images and other assorted content so that can then
be linked into content on our site by various web maintainers.

Currently web maintainers can upload only html, all other material is
handled on a cumbersome manual process to make sure no 'infected'
material makes it way on to the public web site.


points they have noted so far:

     1. All access is authenticated.
     2. All files initially uploaded to an area *outside* the web root.
     3. Cold Fusion has the facility to run external processes and they
        are looking to use this to virus scan files.
     4. Once files are declared clean then they will me moved into an
        area within the web root.
     5. user notified of location of item so they can link to it.

Anything we have over looked here?  In particular is there anything we
have to do to make sure the execution facility is not abused?  I'm not
familiar with CF, but I assume one has to take the same precautions as
with perl or php.

Has anyone already done this using ColdFusion and willing to share the
code?  i.e any wheels out there?  Even if you have an octagonal one we
may be able to take it knock a few more corners off it.

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list