Skip to navigation

malevolent design weblog

This blog is now defunct, but you can find more stuff over at my personal site

The Downside of Uploads

Any site that allows users to upload files clearly needs to be careful, but even some fairly savvy developers seem to underestimate the dangers, thinking they’re OK as long as they only allow simple static files such as images.

Unfortunately, IE’s ‘MIME sniffing’ makes life particularly difficult. Instead of primarily relying on the web server to tell it what type of file it’s receiving, IE tries to guess from the content. That means no uploaded file can be trusted (update: their examples no longer work, so here’s a quick demo), as it’s trivial to rename a malicious web page (e.g. containing JavaScript that steals information or performs actions) to have an innocent-looking file extension. You can check the first 256 bytes for certain tags as a first line of defence, but should also parse/process all images (e.g. recompress to create a new JPEG) and force other file types to spawn a download prompt when requested (using a Content-Disposition:attachment header, although it seems it may be possible to bypass that, and HTML files are still unsafe).

Microsoft seems to think MIME sniffing is still essential to cope with poorly-configured servers, and so is willing to tolerate the side-effects (we wouldn’t want anyone to break into a sweat at the thought of actually fixing their systems, would we?).

It’s not just IE that causes extra problems (e.g. images can contain Flash policy files, and PDF has had its issues), and I still notice scripts that don’t even validate the file’s details properly in the first place (e.g. they check the MIME type then trust the filename). If you’ve got a site that accepts uploads, take some time to check your code and investigate the exploits, as it’s easy to miss fiendish details.


Comments are now closed for this entry.