1

I'm developing a Web application where users can upload files.

Suppose to have different file categories, e.g. audio and docs. I guess I can put all the files that belongs from a category in a unique folder, e.g.:

audio_dir
  -file_from_user1.mp3
  -another_file_from_user1.mp3
  -file_from_user2.mp3
  -file_from_user4.mp3
docs_dir
  -file_from_user1.doc
  -file_from_user5.pdf

The other solution I'm evaluating uses a third level, where files are grouped by users. 

audio_dir
  user1_dir
    -file_from_user1.mp3
  user2_dir
    -file_from_user2.mp3
  user4_dir
    -file_from_user4.mp3
docs_dir
  user1_dir
    -file_from_user1.doc
  user5_dir
    -file_from_user5.pdf

Which solution is the best? Please, notice that I'm interested in server security vulnerabilities and scalability.

JeanValjean
  • 17,172
  • 23
  • 113
  • 157

1 Answers1

1

In terms of security you should store the files outside of the web root. This effectively avoids someone from uploading a *.php or a *.pl or a *.py or .htaccess or any other executeablible script that maybe executed based on the HTTPD's configurations. I would also pass the file name though basename() before writing the file to prevent directory traversal attacks.

Then you can have a PHP script serve the file. You can also add user access control and file ownership by mapping the files to metadata stored in a SQL database.

rook
  • 66,304
  • 38
  • 162
  • 239
  • @Rock Two points to discuss! 1) If the upload is handled with care (i.e., file extensions is checked, basename() is used, authentication is handled, authorization too...), can one use the web root dir? 2) Which one of the two approaches I shown in my question is better from a scalability point of view and why? – JeanValjean Aug 30 '12 at 08:04
  • @JeanValjean oah yeah, expect there are a thousand ways to bypass these checks. Do you understand null byte injection? Do you understand that backdoor.php.junk will execute as a .php file? And yes, there are many other attacks. – rook Aug 30 '12 at 15:35
  • @JeanValjean both are equally prone to attack and both are about the same speed. You have addressed absolutely nothing in your proposal. – rook Aug 30 '12 at 15:36
  • I suppose that nothing is really secure. This doesn't mean that nothing should be done, but I guess one could agree that the files storage outside the web dir will not guarantee a 100% security against the multitude of attacks. About the two proposals, which you say are the same, I was wondering about the computational cost for file access in the two alternatives. – JeanValjean Aug 30 '12 at 16:20
  • @JeanValjean there are very secure systems out there, however you have not explained how your system prevents attack. – rook Aug 30 '12 at 18:21
  • Mhhh! I do agree with you! There are several secure systems out there. However, my question was related to the which of the two ways I described is best for file organization with respect to **security vulnerabilities** and **scalability**. About the first point, you addressed some noticeable points for not using the web dir. About the second point you said that both ways are the same for scalability. Why should I explain how my system prevents attack? However, I have a Symfony2 web app, which is going to be deployed in a dedicated housing in a web farm: I have no more info! – JeanValjean Aug 30 '12 at 22:01