Hi All,
I have a front end form on my site for which I use acf_form. This form allows registered users to upload images in a gallery filed. I am limiting the accepted files to ‘jpeg,jpg,gif,png’ and have placed a 2mb file size limit on it.
I’ve been asked to conduct a security review on the site and I am looking at how secure this process is, the requirements I need to meet are as follows:
——
1. The uploaded file name must be checked server-side in order to reject file names:
– That contain a “null byte” (%00)
– That begin with a “.” (hidden file on Unix), especially “.ht” (configuration override file)
– That contain “/” “\” “..” or any forbidden filename characters that are equal to filenames used by web server or application server configuration (crossdomain.xml, clientacesspolivy.xml, web.xml, …)
2. The uploaded file extension must be validated server-side, following a “white list” approach, where only a limited list of file extension is accepted. File extension must not correspond to an executable file or script. The extension must also be taken into account starting from the end of the file name and not by the first character “.” from the beginning of the name
3. The MIME type of upload file must be validated server-side with a white list approach. File with multiple MIME parts should not be accepted.
4. The size of uploaded files must be checked during transfer or before saving them to the hard drive, and must not exceed a certain limit set by the available disk space and the number of files that can be downloaded.
——
Of the above requirements, I am fairly confident that 1, 2 and 4 are met, however I don’t think that ACF checks the MIME type of the uploaded file? Am I correct? I have just tried by renaming a .exe file to a .jpg and I got it to upload fine which is slightly concerning.
Thanks in advance.
Kevin
