When it comes to security, the very first rule is that all data sent by users should be validated before being stored on the server.
Experience shows that some developers give poor, little or no attention at all to validating file uploads.
This is mostly due to laziness. However, sometimes the purpose is to build a more flexible form. Example: a CV upload field that accepts any file extension.
This is a huge security mistake.
Why? Because these files by default are stored in the uploads
directory which is publicly accessible.
If one of your users succeeds in uploading a php file, such as attack.php
through one of your forms, then he will be able to run the script just by using the http//your-sf-project.com/uploads/attack.php
uri.
If the aforementioned php file contained malicious code then the hacker could get access to your database settings, user details, delete data etc.
It is absolutely critical that uploaded files are validated.
Read again the file validator documentation. Do all of your validators have customised mime_types
or a mime_categories
option ?
You should also prevent your forms from accepting the .htaccess
mime type.
If you have access to the httpd.conf
file, add the following rule to your virtualhost:
<VirtualHost *:80>
...
...
<Directory "/path/to/my/sfProject/web/uploads">
php_flag engine off
</Directory>
</VirtualHost >
If you don’t have access to the httpd.conf
of your host, add a new .htaccess
file in your /path/to/my/sfProject/web/uploads
directory:
php_flag engine off
uploads
directory when you canSome uploaded files - like user avatars - need to be publicly accessible and are displayed very often by the server, the uploads
directory is the right place for them.
But many other user files are private or rarely displayed. All these files could be stored in the data
directory (documentation).
1/ Create a files
sub directory: mkdir /path/to/my/sfProject/data/files
2/ Change the path
option in your forms:
$this->validatorSchema['driver_licence_pic'] = new sfValidatorFile(array(
'mime_types' => 'web_images',
'path' => sfConfig::get('sf_data_dir').'/files/driver_licence',
));
3/ And add a dedicated route to the file.
Powered by jQuery UI and symfony. Symfony Check
The content this site is published under a Creative Commons License. Some parts of the content are a remix of the official symfony documentation.