When it comes to security, the very first rule is that all data sent by users should be validated before being stored on the server.
Experience shows that some developers give poor, little or no attention at all to validating file uploads.
This is mostly due to laziness. However, sometimes the purpose is to build a more flexible form. Example: a CV upload field that accepts any file extension.
This is a huge security mistake.
Why? Because these files by default are stored in the
uploads directory which is publicly accessible.
If one of your users succeeds in uploading a php file, such as
attack.php through one of your forms, then he will be able to run the script just by using the
If the aforementioned php file contained malicious code then the hacker could get access to your database settings, user details, delete data etc.
First step: check all of your file upload fields
It is absolutely critical that uploaded files are validated.
Read again the file validator documentation. Do all of your validators have customised
mime_types or a
mime_categories option ?
You should also prevent your forms from accepting the
.htaccess mime type.
Second step: disable php execution in the "uploads" directory
If you have access to the
httpd.conf file, add the following rule to your virtualhost:
php_flag engine off
If you don’t have access to the
httpd.conf of your host, add a new
.htaccess file in your
php_flag engine off
Third step: Avoid to use the
uploads directory when you can
Some uploaded files - like user avatars - need to be publicly accessible and are displayed very often by the server, the
uploads directory is the right place for them.
But many other user files are private or rarely displayed. All these files could be stored in the
data directory (documentation).
1/ Create a
files sub directory:
2/ Change the
path option in your forms:
$this->validatorSchema['driver_licence_pic'] = new sfValidatorFile(array(
'mime_types' => 'web_images',
'path' => sfConfig::get('sf_data_dir').'/files/driver_licence',
3/ And add a dedicated route to the file.