Secure file uploads in Ruby on Rails
I have built a photo gallery that uses Paperclip and validates the content type using validates_attachment_content_type.
The application is launched on a shared host with the Passenger.
Is it possible to bypass the scan and run malicious scripts from the public / pictures directory? If so, is there anything I can do to avoid malicious scripts from starting or loading?
source to share
Is it possible to bypass the scan and run malicious scripts from the public / pictures directory?
Yes. You may have a perfectly valid rendered image file that also contains HTML with an injection script. Thanks for the fake content sniffing, IE, you've messed it up.
See http://webblaze.cs.berkeley.edu/2009/content-sniffing/ for a summary.
If so, is there anything I can do to avoid malicious scripts from starting or loading?
Not really. In theory, you can check the first 256 bytes for HTML tags, but then you need to know the exact details of what content apps are for browsers, and keep them comprehensive and up to date - that's not a starter.
If you process images and re-save them yourself, it can protect you. Otherwise, do one or both of the following:
-
serve only user-uploaded files from a different hostname, so they don't have access to cookies / auth that would allow you to inject> in XSS into your site. (but note non-XSS attacks like generic JavaScript / plugin exploits)
-
serves up user-uploaded files with a server-side script that includes a Content-Disposition: attachment header so browsers don't try to view the inline page. (but look at older versions of Flash, ignoring them for Flash files). This approach also means that you don't need to store files on your server file system under the name of the file the user is uploading, which saves you heavy and hard to access files, the correct job of checking the file name.
source to share