Symfony-check

Check if your symfony application is ready for deployment

Protect yourself against user uploaded files
  • high
  • security

When it comes to security, the very first rule is that all data sent by users should be validated before being stored on the server.

Experience shows that some developers give poor, little or no attention at all to validating file uploads.

This is mostly due to laziness. However, sometimes the purpose is to build a more flexible form. Example: a CV upload field that accepts any file extension.

This is a huge security mistake.

Why? Because these files by default are stored in the uploads directory which is publicly accessible.

If one of your users succeeds in uploading a php file, such as attack.php through one of your forms, then he will be able to run the script just by using the http//your-sf-project.com/uploads/attack.php uri.

If the aforementioned php file contained malicious code then the hacker could get access to your database settings, user details, delete data etc.

First step: check all of your file upload fields

It is absolutely critical that uploaded files are validated.

Read again the file validator documentation. Do all of your validators have customised mime_types or a mime_categories option ? You should also prevent your forms from accepting the .htaccess mime type.

Second step: disable php execution in the "uploads" directory

If you have access to the httpd.conf file, add the following rule to your virtualhost:

<VirtualHost *:80>

   ...
   ...
   <Directory "/path/to/my/sfProject/web/uploads">
     php_flag engine off
   </Directory>
 </VirtualHost >

If you don’t have access to the httpd.conf of your host, add a new .htaccess file in your /path/to/my/sfProject/web/uploads directory:

php_flag engine off

Third step: Avoid to use the uploads directory when you can

Some uploaded files - like user avatars - need to be publicly accessible and are displayed very often by the server, the uploads directory is the right place for them.

But many other user files are private or rarely displayed. All these files could be stored in the data directory (documentation).

1/ Create a files sub directory: mkdir /path/to/my/sfProject/data/files

2/ Change the path option in your forms:

$this->validatorSchema['driver_licence_pic'] = new sfValidatorFile(array(
  'mime_types' => 'web_images',
  'path'       => sfConfig::get('sf_data_dir').'/files/driver_licence',
));

3/ And add a dedicated route to the file.