Which file types should an upload script disallow?

Asked by Anaphase (773

) January 18th, 2009

I’m crafting a cliché file upload script and need some help creating a list of disallowed file types. I figure files such as .php and .asp could be a potentially hazardous to let people upload. What other files should I block? Any input is greatly appreciated.

I should note that the security of my server is all that I’m worried about, so blocking files such as .exe, which are only hazardous to the users which download them, are not of interest.

Observing members: 0

Composing members: 0

4 Answers

I would say that you shouldn’t be blocking file types. You should be allowing them. You are asking for a nightmare.

jrpowell (40562

)“Great Answer” (0

) Flag as…

@johnpowell, that was actually my original plan, but when I was making the list of allowed types, I realized that there are probably more extensions I want to allow than ones I want to block…

Anaphase (773

)“Great Answer” (0

) Flag as…

Are you kidding me? Not blocking file types can open you up to a world of hurt. You should, at the least, block exe, com, bat, js, vbs, and wsh files unless you have some reason to allow that on your system. Active pages like .php and .asp files could be dangerous if you serve them from your web site, so you may take that into consideration as well.

Basically, you want to prevent anything from being uploaded that could cause a potential threat to your system or your user’s system.

OUSoonerTaz (1

)“Great Answer” (0

) Flag as…

Well, I’m running a Linux server, so I don’t think .exe or .bat files of any hazard to me. Plus, after long consideration, I came up with a solution to my problem: All file types are allowed, but scripts such as .php and .js are rendered as text when they are requested, so they’re not actually executed.

Anaphase (773

)“Great Answer” (0

) Flag as…