PDF Merge and Strict file validation on upload

Thanks Dave.. I guess my real questions are, would the server in either of these scenarios be vulnerable to an infected file?

cffile upload function using a "strict" attribute

or

the use of PDF Merge

Thanks,

Shannon

I always hesitate to say "no" when anyone asks me if something could potentially be insecure. But I doubt the server itself would be vulnerable to anything there, as long as nothing additional happened after that file upload.

But what if the attack didn't target the server, but other clients? I upload a file that's malicious in some way, it gets placed where another user can download it, they download it and are compromised.

Dave Watts, Fig Leaf Software

Understood... My concern in this case is for the server. Even though all users are trusted, there is still a chance of someone uploading and infected file. What would happen if the server used PDF merge on an infected file?

Shannon

I don't know enough about what happens during a PDF merge to answer that. But I suspect nothing would happen, if that file were never accessed again.

Dave Watts, Fig Leaf Software

Shannon, a few thoughts.

1) First, as for the strict validation, the whole point of that is to ensure that the file being uploaded is indeed the type that it says it is, so if someone uploads a PDF, CF will check to make sure that it’s a PDF (not an exe), and so on. So that’s the “protection” that the file “is what it says it is”.

2) Like Dave, I don’t know about pdf merging. (It seems curious that it’s a concern for you. It would seem to take two pdf’s and merge them. I’m sure that would only work if the two files were indeed PDFs, so I’d not expect that they could be or produce something else.)

But like he also says, no one can ever say “do x and there will be no vulnerabilities”. Security is such a complex subject, and even when someone may suggest they know an answer, they should admit that they “don’t know what they don’t know”. That’s why Dave is being cautious here, as am I.

3) But back to your initial question: you could certainly setup to either manually scan a file on the server, when it was uploaded or merged. Or in most a/v tools you can declare that directory to be auto-scanned, whenever a file is modified or even read.

4) Indeed, as Dave points out, A/V tools on servers are often trouble specifically because most of them these days DO setup to AUTOMATICALLY scan ALL files that are modified (in any folder). That can be expensive enough, as many people have code or tools that do generate new or updated files all the time. And not all NEED to be scanned.

Even worse, many a/v tools scan not just any file that is MODIFIED but any file that is simply READ! That can be truly a negative impact, as again plenty of CF files (internal files, and your code, and files your code may process) could be “read” throughout the day, perhaps a million times or more.

So I have often helped people see the value of judiciously identifying folders that could be excluded from such automatic scanning. Note I say judiciously: you do need to think carefully about where files might possibly end up on a server, whether through uploads, or code that writes files, or admins on the server downloading things from elsewhere. But there are plenty of folders where it would never be logical for a file to “end up”, and so one may choose to exclude such a folder.

But others who are more cautious will just let all folders be scanned. That’s understandable. I’m just saying the i/o impact can be significant.

And I bring all this up again in the context of your debating whether to have an a/v tool scan a folder. I’m just saying if you may choose to (or find you already do) have an a/v tool do auto scanning of such folders, if you find it would scan more than just the folder you’re thinking about, beware of this potential impact.

/charlie

This gives me plenty to think about. Thanks Charlie and Dave. You've both been very helpful.

Shannon