Letting users upload files into a website is an area that requires careful management. Obviously there is a decision to be made around whether to store the file in a database or on the file system. Also the file should be virus scanned.
Note that in business systems users can often upload files like pdf that can include scripts than can run on the file system (if directly opened by someone on the back end). The likely hood of this really depends on your system design.
If you are storing files on the file system (even temporarily) here are some rules of thumb
- Whitelist the file types that can be uploaded (make sure there is a check around the types allowable on the server as well as the client)
- Limit the file size (client and server)
- Store the file on a separate drive to the rest of your application, in a folder with minimal permissions – make sure the file cannot be executed. Maybe one account to write and another to read it both with appropriate permissions on the folder.
- Virus scan the file
- Do not save using the name the user supplies
- Do not save using the extension the user supplies
- Do not access using a filepath in a url I.e. http:\\mysite.com\showFile?path=\filedirectory\letter.doc- instead use a GUID or some other identifier to prevent tampering i.e. http:\\mysite.com\showFile?id=45464-454-454-454545. Get this wrong and you may end up displaying your web.config to the world- http:\\mysite.com\showFile?path=\..\..\web.config
The main point is to give the user as little control as possible over where the file is stored and how it is accessed.