File Inclusion/Web Shell

[Vrudin]

• What: When registering a new patent the file upload let a user upload any type of file including malicious ones. A user could upload a script executing on the server letting the user taking total control over the server. Such a script could be a web shell such as Ajax
• How: Imlement filetype-restrictions

[smholsen]

Before closing this issue we need to implement a sie check of the file. If the file is larger than 20 MB, do not allow upload.

[smholsen]

Do we need to check free disk space before collecting uploaded file? Will the db display errors to the user if it is attempted to upload file when not enough disk space? Note: Ask TA

[keiners]

checklist: https://www.owasp.org/index.php/Unrestricted_File_Upload#Prevention_Methods_.28Solutions_to_be_more_secure.29

edit: For header-check: $finfo = finfo_open(FILEINFO_MIME_TYPE); $mime = finfo_file($finfo, $file);

if ($mime != "application/pdf"){ $this->validationErrors[] = "Sorry, only PDF files are allowed."; }

[keiners]

kommenterer så noen mer php/github kompetente kan få det inn i applikasjonen: i startUpload() trenger vi while/if (file_exists($targetFile)) {endre fil-navn}