I wrote a site for our internal users to upload files from clients over an SSL connection (as opposed to using FTP or e-mail to move these files). However, as always seems to happen, management now wants to allow clients to use the site as well. So, to that end, I need to shore up it's security a little bit. One thing that I want to do is limit the type of file that is uploaded, but everywhere I look I see people saying this is really difficult. I know you can't trust anything that is sent by the client, so how do I verify that that file sent up is either a PDF or Excel document?
Just to clarify, I don't have these files stored anywhere near the web doc root and I re-name all of them using a random number generator, so they can't be directly accessed. That's harder to explain to a sales manager, though, than just saying you can't upload anything but the allowed types and then prove it to them.
Just to clarify, I don't have these files stored anywhere near the web doc root and I re-name all of them using a random number generator, so they can't be directly accessed. That's harder to explain to a sales manager, though, than just saying you can't upload anything but the allowed types and then prove it to them.