Confirm
180
edits
Changes
improved uploads guidance, added archives.
[https://wiki.mozilla.org/WebAppSec/Secure_Coding_Details#Word_Press Configuring Worpress Admin Pages Securely]
== Uploads =='''Attacks of Concern''': Malformed user uploads containing JavaScript, HTML or other executable code, Arbitrary file overwrite
'''Upload Verification''' *Use input validation to ensure the uploaded filename uses an expected extension type *Ensure the uploaded file is not larger than a defined maximum file size '''Upload Storage''' *Use a new filename to store the file on the OS. Do not use any user controlled text for this filename or for the temporary filename. *Store all user uploaded files on a separate domain (e.g. mozillafiles.net vs mozilla.org)Archives contents should be analyzed for malicious content (anti-malware, static analysis, etc) '''Public Serving of Uploaded Content''' * Ensure the image is served with the correct content-type (e.g. image/jpeg, application/x-xpinstall) === Image Upload === '''Upload Verification''' *Ensure the image dimensions are within the defined range for the application (example 50x50 to 200x200)*Use image rewriting libraries to verify the image is valid and to strip away extraneous content. *Set the extension of the stored image to be a valid image extension based on the detected content type of the image from image processing (e.g. do not just trust the header from the upload). *Ensure the detected content type of the image is within a list of defined image types (jpg, png, etc) === Archive Uploads === '''Upload Verification''' *Ensure that the decompressed size of each file within the archive is not larger than a defined maximum size *Ensure that an uploaded archive matches the type expected (e.g. zip, rar, gzip, etc) *For structured uploads such as an add-on, ensure that the hierarchy within the archive contains the required files
=Further Reading=
