0

http://www.plupload.com - "Allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads." This is the uploader used in current WordPress v3.4.1 and the best one out there in my opinion.

It comes with upload.php file (full file: http://ideone.com/xbPUS).

I have doubts about its security: When I have upload.php on my server and even if I don't setup any Javascript for Plupload anyone is still able to relatively easy send request to upload.php file and upload anything, anytime... TRUE OR FALSE?

How do I prevent that?

Atadj
  • 7,050
  • 19
  • 69
  • 94
  • i have the same doupts. This script sucks but shows how to handle multipart files.If two or more users are uploading the same file with same name then .part files would be screwed i guess.Also it does client side filtering only. – GorillaApe Oct 13 '12 at 11:19

2 Answers2

5

It's not a security issue. Across the internet you can try to upload anything you want to servers (addresses) that support POST method. It's up to server-side software to accept or reject such upload - it's always been this way. Of course there can be some restrictions put onto who uploads what (using tokens, authorization etc), but that's up to you (as developer) to handle.

As to upload.php file from plupload, I think it's suppose to be just a quick and dirty example, that makes trying out plupload a little bit easier.

WTK
  • 16,583
  • 6
  • 35
  • 45
  • totally! plus, adding a check that limits the file extension is relatively easy. – Nir Alfasi Aug 14 '12 at 08:21
  • So, it is a security issue - because they didn't include basic filters to remove ability to upload PHP files etc. They provide dirty script. Are there any "general purpose/universal" filters out there to extend their upload.php? Just to exclude files such as PHP. – Atadj Aug 14 '12 at 08:22
  • Ok, two things to distinguish here. If you're asking strictly about *upload.php* from plupload examples - than yes it may be security issue to just drop it on server and continue to use it. If you're asking if uploads are secure in general, than answer is (more or less) yes - as long as you filter the data (by type, size etc.) and provide authentication. – WTK Aug 14 '12 at 08:29
  • @WTK That's right! Thanks for an answer! Now I'm only looking for some filter scripts and methods to make that work "the correct way" with WordPress :) – Atadj Aug 14 '12 at 08:45
1

I think you want Wordpress to work with upload.php and not the other way arround. So if anyone would call upload.php directly it will fail. Can you set some specific information that will only be available from within your Wordpress functions. In upload.php you can ask for this information if not available it will stop. Hope this is what you need.

Jurgo
  • 907
  • 4
  • 18
  • Thanks for suggestions. Do you have an idea on how to use such "specific information that will only be available from within your Wordpress functions"? Is it some unique ID from database? Or PHP session? Cookie? – Atadj Aug 14 '12 at 09:49
  • I think i would write an Wordpress plugin for this upload functionality. In this plugin you can include the upload.php file. In the plugin there's a function which uses the upload.php file in this function you can set an constant. In upload.php you can check for this constant. So the constant is only available from within you're wordpress plugin. What do you think? – Jurgo Aug 14 '12 at 09:56
  • It works with constant for me. I'm going through PHP.net manual on uploading files. Many improvements can be made :) Thanks for your valuable suggestion! – Atadj Aug 14 '12 at 10:46