File input validation/upload validation in web environments

["James H. Moore" <jhmiso () RIT EDU>]

I had a question come to me about validating files uploaded to a web server.  Does anyone have a list of the risks from 
file uploads and how they are best managed.  People are discussing e-portfolios and the like, and wondered what risks 
and controls were appropriate.  Not being a web person, I wasn't sure.

Jim
- - - -
Jim Moore, CISSP, IAM
Senior Information Security Forensic Investigator
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)


If you consciously try to thwart opponents, you are already late.  Miyamoto Musashi, Japanese philosopher/samurai, 1645

A ship in harbor is safe -- but that is not what ships are built for.  John A. Shedd, Salt from My Attic, 1928 
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity 
to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other 
than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any 
copies of this information