I'm trying to decide whether to allow users to upload HTML files into their webspace.

Because of current limitations of server configuration on the prototype site, I'm loading member files into subfolders under the public web folder like this...
site = www.somesite.tld
user1's space = www.somesite.tld/user1

The problem is that, in this configuration, a server script could make, say, a $_SYSTEM call in php and get access to not only to the member's own web space but any folder in the site's file path.

Therefore, users are restricted to image, audio, video and shockwave files.

I'm wanting to add html files to the list, but before I do, is there any circumstance (or language) that would allow a user to embed something in an html file that makes a server system call?

Thanks
CTB

(NOTE! ALSO POSTED IN HTML SECTION)

you're safe as long as your config doesnt treat .htm or .html as files to be parsed by php engine. or for that matter, any extension other than .php. in your upload script, rename all files. at the very least give 'em .html (or .htm) extensions. then if anyone ever tries to execute 'em, it will simply display, rather than execute, any embedded code.

still, it is always a good idea to rename any files anyone ever uploads, since a malicious user will immediately try to execute a trojan they upload. if they dont know the name, they are going to have to work a bit harder to execute. and if it is html and the php parser ignores it, well no problem.

any sneaky iframes and applets, javascripts and such will execute only on users machine not server so that isn't going to be a problem either.

web server should have virus scan set to scan at write time and quarrantine any suspicious files.

thanks russel & happy new year.

at the moment, uploads are filtered when they arrive at the server. we only allow images (.jpg, .png, .gif), video and audio (.wmv, .mov, .mp3 etc), text (.txt, .css & now .htm/.html), compressed (.zip, .gz etc) and a few common application data files (.doc, .xls, .ppt, .ai, .psd, .eps, .dwg, .dxf etc).

anything else is rejected.

interesting tip about renaming. to do that we'd need to maintain a db of uploaded files. given the limitation on uploads, do you think the added security is justified by the additional overhead?

ctb

i definitely do. this is a minor additional overhead for a major security implementation.

don't depend on file extension filtering alone. nothing to stop someone from uploading an executable with a .png extension or some such thing.

happy new year.

rb