Comments on: Secure web uploads

By: morf

morf — Sun, 21 Dec 2008 16:21:16 +0000

interesting tutorial about secure web upload

http://www.scanit.be/uploads/php-file-upload.pdf

By: Tim

Tim — Sun, 21 Dec 2008 02:39:27 +0000

I’m concerned about it too, but I wasn’t prepared to compromise on security for the purposes of IP rights. There’s a number of defences you could use if the issue came up in court.

One is that it’s not a derivative work, it just happens to do the same thing. Since the creative elements of the original work, such as variable names, were not preserved in my work, copyright does not carry on. Also the control structures and order of operations were liberally rearranged in order to produce code that does the same thing, but is simpler than Microsoft’s. This is the line I took in the file header.

Another is that it’s fair use. My work is transformative in purpose, I’m not using it to build a browser, I’m using it to keep web uploads secure. It’s a small excerpt of the original work. There is law that suggests that no excerpt from a computer program is small enough to count as fair use, but there’s an argument that an exception can be made in this case on the basis of public good.

By: Kelly Martin

Kelly Martin — Sat, 20 Dec 2008 20:14:48 +0000

I’m concerned about the copyright status of the code you wrote. Under US law, at least, code you create derived from the disassembly of someone else’s code counts as a derivative work, and so if this code becomes part of MediaWiki MediaWiki will potentially include code to which Microsoft, at a minimum, has third-party rights. I’m not sure what Australian law on this is, nor am I clear on whether Australian law being different would be of any relief to those who are subject to US law. Still a touchy situation.

By: morf

morf — Wed, 17 Dec 2008 20:46:59 +0000

Thanks! Please write more about upload, for example upload of big files, temporary storing, deleting, resume upload, progress bar, rapidshare-like upload, DOS prevention etc…

best regards

By: Tim

Tim — Wed, 17 Dec 2008 03:18:22 +0000

It’s automated already, you don’t see me checking each upload to wikipedia.org by hand, do you?

Just because Lynx says something is valid HTML doesn’t mean Java won’t allow it as a JAR file. As Nathan puts it, a file can have multiple types. Each client makes up its own rules for what it’s going to accept and what it won’t, and it’s possible to exploit the differences in those rules to produce a file that looks like one type to one browser, and another type to another browser.

By: Andrew Garrett

Andrew Garrett — Wed, 17 Dec 2008 03:12:01 +0000

“It’s also worth considering moving all uploads to a directory not publicly accessible, then using a download script to get the files; this makes it easier to implement stats, and more over no matter how malicious any file is, you never need worry as the file will never be executed, simply sent right back to the client.”

This avoids the server-side scripting issues described in the first section, but none of the client-side Cross-Site Scripting issues which make up the majority of the post, unless you set the Content-Disposition and Content-Type headers appropriately.

By: Bill

Bill — Tue, 16 Dec 2008 17:50:18 +0000

Wow, that must have been a lot of work. Wouldn’t it have been easier to just do an automated test on the files? If its marked as htm, send it to lynx verifying its somewhat valid html. If its a picture, send it through image magic to make sure. Ect, Ect,

By: Yeti

Yeti — Tue, 16 Dec 2008 17:19:46 +0000

Awesome, keep up the good work!

By: Jack Herrick

Jack Herrick — Tue, 16 Dec 2008 16:48:06 +0000

Nice post Tim. Thanks for sharing the info.

Now I’m really starting to feel like the only person in wiki land without a blog though.

By: The Developer Day » Blog Archive » Advice to MySQL, Secure file uploads & more

Tue, 16 Dec 2008 15:36:55 +0000

[...] Handling secure web uploads an interesting post by Tim. Though the most stuff is obvious it’s quite interesting that someone took the effort to dissasemble IE and port some parts of it to PHP. Geeky [...]