Reputation: 8113
Upload to random named directories, is it enough (security-wise)?
So I've built a form that lets users to upload files (within an extensions whitelist) to random-named directories, under another directory in root. The random name, for tech reasons, for now it's written down in the html page, but visible in code only while the page exists. If the user refreshes the page, the name will change. Only the random dir name itself is visible, not the entire upload in itpath.
data-name="<?php echo uniqidReal(); ?>" // outputs like 'd91806dbde743568'
That name is then used by php to create the dir where the files will be saved, something like https://www.acme.com/mydir/d91806dbde743568/file.mp3. That entire url will be then send once to the receiver of the form.
The 'mydir' contents are under -Indexes, so no way for anyone to guess the name of the random named dirs in it.
Now my question: is that enough to avoid security issues? Could one, for example, upload a masked file that contains some malicious code that once uploaded can read the dirs and send them back informations or do something else?
Should I strengthen the security level in some other way?
Upvotes: 3
Views: 38
Answers (1)
Reputation: 881
This is not the best way, because the name of a folder can have characters like ../
It seems to me better to create a random folder on the server without receiving data from the user
Upvotes: 1
Related Questions
- Should uploaded files be renamed?
- Is it a bad idea for user-uploaded images to have predictable file names? Or should they be randomly generated?
- Is storing an uploaded file into a variable name safe?
- Security implications of php upload system
- File Uploads - best practise for directory structure?
- Is this a safe method of saving uploaded files?
- Implementing a PHP file uploader. Some basic technical questions
- PHP File upload, Secure?
- Is keeping uploads folder outside of 'public_html' enough to keep my application secure from malicious uploads?
- Is this file uploading method secure via PHP?