I have an file upload form and need to run a check on the file uploaded to ensure it isn’t anything that might potentially cause problems on the server (ie: executables). The files will primarily be images, but I will be dealing with a other exentions of raw file formats which can be many different extensions. so, i feel the easiest way is to check agaisn’t a list of things I don’t want, rather than things i do.
What is the best way to do this? Ideally something that will work on a both a windows and linux server, but primarily linux if now both.
I would recommend that you should maintain a whitelist of allowed types, rather than a blacklist of blocked ones. Though treat any kind of file-extension based processing as a weak line of defence, as it is trivial to circumvent this kind of checking.
So don’t just check the file extension. It might be worth validating that the content type of the file matches the extension – see the Fileinfo extension. If you’re just using images, you could use GD or ImageMagick to reprocess the file.
Finally, I would recommend that you store any uploaded files on a filesystem which doesn’t permit execution – mount with noexec on Linux/UNIX platforms – though note there isn’t really an equivalent on Windows.