On Wed, 2005-03-02 at 23:48 -0500, jonathan vanasco wrote: > On Mar 2, 2005, at 7:21 PM, Richard F. Rebel wrote: > > I worked for a company who did mass free hosting and I can tell you > > that > > browser supplied mime types are not enough in many situations. > I agree - my question was if they tended to call a 'valid' file > invalid, or an invalid file valid -- the idea being that if the browser > claimed something was a pdf, and I only want jpgs, its safe to throw > out without doing additional testing (ie the magic byte to image app > tests). if the browser says its a jpg, then i do actual file analysis > to see if it is indeed a jpg. (the idea being to conserve cpu)
yes, I would say yes, it's safe, except in the case of octet-stream which you might permit and test afterwards. > > I had to resort to file magic byte testing (technique used by the unix > > 'file' command), and then further to ensuring that tar's, rar's, > > bzip's, > > pkzip's etc all passed consistency checks and had no padded data on the > > end, as well as check the contents. We also ended up having to run > > JPEG's and GIFS through image libraries to ensure the same as people > > were uploading copies of windows in hundreds of JPEGS which had proper > > headers but the remainder was added on CAB files. > That sounds awful, and unfortunately like something I must do. > > > Also, if I remember correctly you must write a mod_perl content handler > > in order to acurately stop a 'claimed' 100k upload that is in actuality > > a 100MB upload. We did this by counting bytes as we read them and > > aborting once over a given size. Also, I think some browsers don't > > correctly report the size up uploaded files, but I am kinda hazy on > > this > > aspect. This was apache 1.3 btw. > > Ok, this is a more general question then -- shouldn't POST_MAX handle > that? For absolute max, yes. Depends on your quota needs. > > 2 ensure they cannot upload larger than claimed/quota amounts by a > > writing a handler in mod_perl or c that counts the bytes. TIME OUT > > slow > > connections... eg, upload 100k, wait, slow down, wait some more, send > > some bytes, etc. this is an easy way to DOS you. > ok, now i'm scared. does anyone know of a handler out there that does > something like this? or can point me in the right direction on how to > make one? i def. don't have the knowledge to code this alone, but > would be eager to work on one. The module I wrote is owned by my prior employer, sorry. I don't know of any other module either. It wasn't that hard to write tho. The part about timing of connections is relatively simple as well, if you don't get X bytes over X amount of time, the connection is too slow. If you don't get ANY bytes over N amount of time, connection is dead/too slow. Stuff like that. In apache 1.3 you can use alarm and/or selects. In Apache2 with a threaded mpm you are limited to selects. > all of this upload stuff is for a 'profile' image for a community > style site i'm working on. i'm only allowing limited numbers of > uploads, but you've alerted me to a whole area of problems that are > best addressed by doing this right and building handlers/etc to prevent > issues like this from possibly arising. Well, maybe I sounded a little paranoid. If you cover the 'basic' stuff you'll rule out most of it. I worked for a large hosting site that had millions of free web sites, it was very attractive to try and abuse them as they had lots and lots of resources and bandwidth. -- Richard F. Rebel cat /dev/null > `tty`
signature.asc
Description: This is a digitally signed message part