RE:(4) File Upload Security Question

Is it safe to allow users to upload a file as long as I name the file myself?

In general, yes (be sure to also control _where_ the file is going). Read up on perlman:perlsec and http://www.w3.org/Security/Faq/wwwsf4.html

Comment on RE:(4) File Upload Security Question

Replies are listed 'Best First'.
RE: RE:(4) File Upload Security Question by Anonymous Monk on Jun 13, 2000 at 16:34 UTC
Thank you. That is just what I needed to get going. Gratefully, Rad	[reply]
Re^3: (4) File Upload Security Question by Mr.Clean (Initiate) on Mar 10, 2008 at 21:28 UTC
Not always. There is a class of vulnerabilities known as Arbitrary File Upload. What an attacker will do is, put in the source code for a PHP shell(a web application used to manipulate a server) into a text document and then name it "name.php.jpg". what this is doing is disguising the shell as a JPEG image. This file will be uploaded unless your web application sanitizes the inputted file. So make sure that your web application does sanitize the file by making sure that the data that the file holds is of correct extension.	[reply]