Can you ever let users upload files safely?

[VBAHole22]

I'm trying to create an asp.net solution where users can upload a file to my web server. I then detect the upload using a filewatcher on another machine that watched the network path. This other machine, the app server, works on the file and produces an output file that gets dropped back on the web server and the user is free to download the results.

I have this up and running in my development environment and it works well. My problem is that I have spoken to several folks in the IT sector that have told me that no sane organization would ever allow me to deploy an application like this. They claim that there are too many security implications involved in file upload.

I know from my end as a developer I can't limit the kinds of files that get uploaded. I can detect the file extension after it has been uploaded but the extension is not a true indicator of the file (i change extensions all the time to pass files through email filters). So I don't have a whole lot of control over what gets uploaded.

What we do have is a secure environment with ssl, win authorization and authentication and logging. So we SHOULD have good users doing good things and we will know if this is not the case. But I think IT folks tend to look at things differently. The way they see it they expect the worse out of folks and plan for it. But even if a user were to upload a malicious file, how would they execute it and what would it do?

Am I being foolish to think that I can deploy this application?

 

[mskeel]

You can probably deploy (I think) but you do need to be careful. Filtering file extensions is the least you would have to do. Perhaps limiting the size is the next thing. You also need to make sure that the file you upload is not accesible from the outside once it is uploaded and esspecially that the file cannot be executed. In Linux I would set it to user read only with no group or world access. There is probably an equivelant to this in windows. You have to prevent outside access so that if I upload my malicous jpeg, say, I can't then go use that file to tell me things about your system or to currupt you server or steal information. If you take away execute privelages that will reduce danger also. Virus checking as the file is uploaded might also be good -- a lot of email applications do this (clamAV is one off the top of my head).

It sounds like users will be somewhat trusted if they have access to the file upload area so taking reasonable precautions, I think, would be good enough. It's not like this is going to be exposed to the internet at large, right, just on a corporate LAN or something?

 

[Nerseus]

The only thing to really worry about is where you put the uploaded files - make sure they're not accessible from the outside, including the webserver. You could rename the file upon upload, if you wanted, but I don't see a point.

If your IT department is looking for an arguement to let you do this, point out that it's just as safe as using FTP to let someone upload a file. If you're providing a web interface that is just letting them upload files, I'd consider opening up FTP. Normally I'd pick FTP if I were going to use a watcher component (like FileSystemWatcher). If I wanted the user to upload something and get something back in the same shot, I'd use a webservice or webpage.

You can always ask them what they think might happen by letting someone upload a file to a secured folder (not accessible through the website). It's their job to tell you why, specifically, that would be a problem - what security risk it poses. If they say "well, I'm not sure if it would be Ok or not" then I'd suggest they find out. That's their job, not yours

-ner