FTP upload security
Posted on 2007-08-02
Hi everyone. I need to create an FTP upload facility for people using my website. I only wish for them to upload text files which will then be copied to the correct area on my website to be processed.
What I need to know is if setting the FTP directory to CHMOD 666 would be enough to stop people uploading and executing malicious code. I believe there is no way to theoretically stop people uploading anything they wish as they could upload it with a .txt filename and change once uploaded.
I can run a Cron Script that deletes unwanted files every few minutes, but that may give them long enough to upload and execute something on my server that is unwanted. I do not want to have a Cron running every minute because of the additional server load.
So, would making the directory none executable be enough, although I imagine they could just CHMOD the files they uploaded to executable.
Google offers a service like the one I wish to use on uploads.google.com via their google products facility. How do they do this and maintain security.
Some of the files that could be uploaded would far exceed the server limit of 8mb so I cannot offer this via a HTML form upload.
Does anyone have any ideas how to create an FTP upload system that is secure and wont compromise my server.