Preview uploaded image

tanger has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I'm making a online posting ad web application and it will require the end user to upload a image of his/her item. I'm working on the preview post function as of now and would like to know if the way I'm doing it leaves any major security risks.

Once a user posts his info and attaches his image to be uploaded, it will lead to a preview page that will view this image from a tmp folder (not outside my web directory). If he clicks "Choose a different image" then it will lead to the previous page and at the same time delete that image in the tmp folder. If he clicks submit final, then it will store the posting info and move the image in the tmp folder to the folder all images will be stored in.

For the upload code, I have a limit set and I check the file extension along with the MIME type. I only allow .gif, .jpeg, and .tiff.

Some of the possible security risks that come to mind is if a user decides to keep uploading to the tmp folder and not doing anything after, therefore it will leave that image uploaded inside the tmp folder. Someone may make a script to auto fill the post and upload tons of images inside my directory. To counter this I can probably do a post verification, but don't really want to if not necessary (as in other methods to carry out my function that will not need to do this).

Thanks for taking your time to read this.
tanger

Comment on Preview uploaded image

Replies are listed 'Best First'.
Re: Preview uploaded image by Tanktalus (Canon) on Oct 22, 2005 at 16:03 UTC
I'm always tempted to do these types of things in a database somehow. It allows me to easily/quickly determine who uploaded what and when (and have a cron job delete anything that is marked temporary and older than X hours). It does mean that the image retrieval has to be a CGI script - but it also allows the images to be moved around as long as I can point my database client to the server properly. Once I have such a cron job cleaning up the temporary files, I probably wouldn't bother worrying about abandoned files anymore. Just leave them, and the cron job will (eventually) clean it up. If you have a reasonable limit on image size, there really shouldn't be very many temporary images sitting around anyway. Note that you can use the filesystem to do the same thing - I just like the SQL syntax for it better as I can attach a lot more metadata to the image in SQL than I can in the file system. Note that I don't see abandoned files as a "security risk". I see that just as a cost of doing business in the stateless world of CGI. Which is where the cron job comes in. What I do see, however, is the distinct possibility that two people upload the same filename, resulting in a collision. By giving each file a generated identifier in the database, you can then refer to each image by that identifier instead of the original name, and not need to worry about collisions. Using the filesystem, you need to find another way to prevent collisions without race conditions.	[reply]
Re: Preview uploaded image by Joost (Canon) on Oct 22, 2005 at 15:55 UTC
Someone may make a script to auto fill the post and upload tons of images inside my directory. If that's a risk, they can also write a script that will click "submit final" it doesn't matter where the images are stored - sooner or later you will run out of disk space. If you allow just everybody to upload limitless amounts of data you're opening yourself up to this problem anyway. As for the tmp directory, I think I'd write a cron-script that deletes every file in the tmp folder with a ctime > 1 hour or so (or if you don't have access to cron, you might do that everytime your upload script is run) Update: in reference to the first paragraph, I guess it would be a good idea to have password-protected user accounts, and only allow X amount of upload data per day per account. You might also want to check the amount of free disk-space and prohibit uploading before you run out of space completely. "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply]
Re: Preview uploaded image by ambrus (Abbot) on Oct 23, 2005 at 14:49 UTC
What about png?	[reply]
Re: Preview uploaded image by TedPride (Priest) on Dec 08, 2005 at 12:08 UTC
All you have to do is record which user / IP uploads each image, then if there is an existing non-utilized image by that same user / IP, delete it before storing the new one. Then to make sure, run a batch job every month or two to clean out any non-utilized images that fell through the cracks. NOTE: You'll have to let your users know that they can only do one image at a time. Some people with slow connections could theoretically try to do several images at once so they can go do something else while waiting for upload, and all but one of those images will be deleted using the method above.	[reply]