0

Presume a desktop application presents a Problem Reporting interface as part of it's GUI, and I wish to allow users to upload files as part of that PR.

One would hope this is only ever used for constructive purposes, however - this raises several questions:

  1. How does an organisation deal with 'content policy' - i.e. users uploading content etc that is against our terms, legal, moral etc
  2. How to protect against malicious file uploads, i.e. executables

There are plenty of pages such as this, but preventing upload of certain file types by extension is surely, weak?

mountainred
  • 179

1 Answers1

3

For point 1: It really depends on how public the uploaded files are. For instance if they only viewable by a small group of admin users, then no problem. If they are viewable by any user, then you have a business problem that needs to be communicated back to your BAs for policy and effort decisions. You may need to institute a manual approval system.

For point 2: Allowing only specific extensions is stronger than it looks on the surface. A malicious .exe file renamed to say .jpg will be harmless if only opened by a program that expects image files, and enforcing reasonable rules should not be difficult. Some filtering will almost certainly be required. For instance files intended to be opened with apps like Excel or Word almost certainly want to have macros disabled. I'm a little out if touch in this area but a Google search should bring up some good advice.

kiwiron
  • 2,384