You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: SECURITY.md
+19-1Lines changed: 19 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,19 @@ To securely setup the project to serve uploaded files, please refer to the sampl
5
5
6
6
By default, all sample upload handlers allow only upload of image files, which mitigates some attack vectors, but should not be relied on as the only protection.
7
7
8
-
Please also have a look at the [list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload.
8
+
Please also have a look at the [list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload, which relates mostly to the sample server-side upload handlers and how they have been configured.
9
+
10
+
## Purpose of this project
11
+
Please note that this project is not a complete file management product, but foremost a client-side file upload library for [jQuery](https://jquery.com/).
12
+
The server-side sample upload handlers are just examples to demonstrate the client-side file upload functionality.
13
+
14
+
To make this very clear, there is **no user authentication** by default:
15
+
***everyone can upload files**
16
+
***everyone can delete uploaded files**
17
+
18
+
In some cases this can be acceptable, but for most projects you will want to extend the sample upload handlers to integrate user authentication, or implement your own.
19
+
20
+
It is also up to you to configure your Webserver to securely serve the uploaded files, e.g. using the [sample server configurations](#secure-file-upload-serving-configurations).
9
21
10
22
## Mitigations against file upload risks
11
23
@@ -40,6 +52,12 @@ Please note that the detection of file types in the sample file upload handlers
40
52
It does not protect at all from exploiting vulnerabilities in image display programs, nor from users renaming file extensions to inadvertently execute the contained malicious code.
41
53
42
54
## Secure file upload serving configurations
55
+
The following configurations serve uploaded files as static files with the proper headers as [mitigation against file upload risks](#mitigations-against-file-upload-risks).
56
+
Please do not simply copy&paste these configurations, but make sure you understand what they are doing and that you have implemented them correctly.
57
+
58
+
> Always test your own setup and make sure that it is secure!
59
+
60
+
e.g. try uploading PHP scripts (as "example.php", "example.php.png" and "example.png") to see if they get executed by your Webserver.
43
61
44
62
### Apache config
45
63
Add the following directive to the Apache config, replacing the directory path with the absolute path to the upload directory:
0 commit comments