Secure Image Upload Module

Worker Joined: Jan 22, 2007 Posts: 104

I am running the latest release of Raven Nuke and I would like to provide the ability for certain users to upload images to the website. I have read a ton of threads that discourage providing any type of upload capability what-so-ever. However, surely there is something out there that is safe? By any chance is there a module that the RavenNuke staff might not quantify or endorse as safe, but would suggest as the best/safe module to achieve the image upload/display functionality?

Thanks!

Posted: Thu Aug 02, 2007 8:28 am

Any time you allowed people to upload any type of file to your webspace you open a small door for problems. I would really make sure that these people are very trust worthy. If you laid a $5,000 dollars on the table in front of them and left the room, would the money still be there when you got back..... Smile

Gallery 2 is pretty good I have found, but even then I don't allow just anyone access to upload photos to it. With all the information that is out there about the reasons why not to do this, and you still choose to go ahead, then I wish you the best of luck.... Smile

Posted: Thu Aug 02, 2007 9:37 am

I think I remember looking at NSN Downloads and seeing how they did it. You could try that. I have never used it though, just read through the code once.

You'll want a module that: allows only files less than a certain size, only allows certain file extensions (e.g. .jpg, .gif, but not .exe, or .php), changes the permissions on uploaded files to be non-executable, and hopefully squirrels them away somewhere for admin review. Renaming the newly uploaded file would help also. It could also check the MIME type on the file, but that can be spoofed.

The danger with uploading is that someone could upload a script or program to your server and then execute it either as the webserver process or as another user if they got through another back door. Even with taking the precautions above there is still some risk.