Do I need to limit the rights to the folder where photos are uploaded that are checked for valid extensions? And if so, why?

S

sorry_i_noob2018-11-25 14:54:09

Information Security

sorry_i_noob, 2018-11-25 14:54:09

I have the option to upload pictures on my site. In the script with saving photos, their extension is checked - the last characters in the file name after the last dot. If the extension is not included in the list of valid ones (for example, png, jpg, jpeg, bmp, gif), then the file does not pass validation.
Question. Do I need to limit the rights to the folder where the photos are uploaded? I heard that for any folders where you can upload files, you need to disable execution (chmod). Or you can also like this:

<FilesMatch "\.([Pp][Hh][Pp]|[Cc][Gg][Ii]|[Pp][Ll]|[Ph][Hh][Tt][Mm][Ll])\.?.*">
   Order allow,deny
   Deny from all
</FilesMatch>

And if so, why do it? After all, bad files cannot get into the folder anyway.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

athacker, 2018-11-25
@athacker

Permits must be issued. The file extension does not play any role, you can make any file executable, even .jpg, even .png, even .exe - it doesn't matter.
Well, when uploading, it is better to check not only the extension, but also the file format. Make sure it's a graphic file, not a script or a binary executable.