receiving xml files via http post - security

Question

I've a basic php script set up on a web server to accept xml files received sent via Http post. So far so good. But I'm wondering about security issues and what other things I would need to be aware of before I could put this live. Has anyone done this beofre and what things I should be aware of?

Basically all I have so far is:

<?php   

header('Content-type: text/xml');

if ( $_SERVER['REQUEST_METHOD'] == 'POST' )
{
    $postText=file_get_contents('php://input');
    $datetime=date('ymdHis'); 
    $xmlfile="myfile" . $datetime . ".xml"; 
    $FileHandle=fopen($xmlfile, 'w') or die("can't open file"); 
    fwrite($FileHandle, $postText); 
    fclose($FileHandle);
    echo 
    '<?xml version="1.0" encoding="UTF-8"?>
    <cXML>
    <Response>
    <Status code="200" text="OK">OK</Status>
    </Response>
    </cXML>';
}
?>

which just writes the xml files onto the webserver. What checks would I need to be doing etc?

Thanks,

Answer 1

You should consider:

• Whether you want the files you're writing to be accessible over HTTP. If you don't, you should move them to a directory the web server cannot access.
• This is susceptible to a denial of service attack; an attacker could fill your disk with garbage XML files and make you run out of disk space. You can prevent this by securing the access to your PHP script (if possible), otherwise make a check against the available disk space.

By the way, this would be more memory efficient:

$post = fopen("php://input", "r");
if ($post === false) { ... }
file_put_contents($xmlfile, $post);

Answer 2

You’re not letting the user decide the file’s name. This is good.

The most important problem I see here is that you don’t limit the maximum file size. Without that, users can spam your server and fill up the hard disk, causing it to malfunction.