Reputation: 21
View/download PHP uploads - how to do it virus safe?
Now I've read a bunch of SO topics on how to check whether PHP uploads are virus safe and the gist from that is: I can't 100% guarantee that uploads aren't full of viruses - no matter the extension. One proposed solution is to remove the extension during the upload and then reassemble it when people want to download.
However, I want to let users view files directly on the website. How do I go about doing that? For example, generating an iframe with an uploaded PDF inside - is that safe or is it like executing it which would give potential viruses the opportunity to spread? With DOCs I wanted to use Google Docs, so I'd embed an iframe of Google Docs which GETs a URL of the DOC on my server. Is that safe then?
Or is there simply no way other than only allowing downloads to prevent potential viruses from spreading on the server? If so, how goes the reassembling of the extension? I'd guess, when someone uploads a test.exe, I'd remove the .exe part but store in a database. Then when someone requests the download, i rename the test file to test.exe and push the download. After that I rename it back to test. Is that correct?
Also: how do services like Trello do this? When I upload an image file there, it gets shown directly - without noticeable delay through virus scans or whatever. I thought about using the virustotal.com API but that certainly takes quite long, doesn't it? Would it be okay though to let people upload, then not show them publicly until a virustotal.com-scan is done and then consider the file safe?
Thanks and cheers for all help and sorry, if I missed something.
Upvotes: 2
Views: 211
Answers (1)
Reputation: 34103
There are a few approaches I've seen in practice over the years:
- Scan it locally, using e.g. ClamAV.
- Pro: If your virus detections are up-to-date, you'll catch any known viruses this way.
- Con: Anti-virus software is an attack surface. See many of the findings of Tavis Ormandy from Google Project Zero.
- Con: Could be taxing to server resources. (Maybe spin up a different server dedicated to AV purposes?)
- Use an API, such as VirusTotal.
- Pro: Less attack surface.
- Con: You have to share the file with VirusTotal, which might be a bad idea if the files you're letting users upload are particularly sensitive (i.e. protected health information).
I'm not sure which to recommend, because I don't know your threat model or operational constraints.
However, the more general problem of not serving browser exploits (e.g. XSS) or allowing reverse shells on the server is actually somewhat easy, but not trivial.
Upvotes: 1
Related Questions
- What are my options to check for viruses on a PHP upload?
- PHP File Upload security
- Scan uploaded files for malwares under Windows using PHP
- php upload image, what if uploaded file contains virus
- Scan PHP uploads for viruses
- How to make a safe file upload script in php?
- scan uploaded file for virus in user's machine using php
- Security threats with uploads
- PHP: How can scan any file for virus befor upload it
- File Uploading and Security