Confirm
491
edits
Changes
→Image Upload
'''Upload Verification'''
* Use input validation to ensure the uploaded filename uses an expected extension type
* Ensure the uploaded image is not larger than a set defined maximum file size* Ensure the image dimensions are within the defined range for the application (example 50x50 to 200x200)* Use image rewriting libraries to verify the image is valid and to strip away extraneous content. * Set the extension of the stored image to be a valid image extension based on the detected content type of the image from image processing (e.g. do not just trust the header from the upload).* Ensure the detected content type of the image is within a list of defined image types (jpg, png, etc)
'''Upload Storage'''
* Use a new filename to store the image on the osOS. Do not use any user controlled text for this filename.* Properly escape the uploaded filename to ensure the user cannot modify the storage location by including directory traversal characters
* Store all user uploaded files on a separate domain (e.g. mozillafiles.net vs mozilla.org)
