I haven’t checked the source fully, but it looks like the Group Documents plugin only checks files by extension and not something like the mime-type. So there is a chance that someone could do something “dodgy”; though if you have a decent user base, you won’t have to worry about it.
@PeterAnselmo – ping!
this is a great question that needs a good answer, you have me questioning the plugin now
first you only allow pdf, txt and doc or docx documents setting the mime tipes in your php script tu upload docs, and if is posible try using a server base antivirus if your server have one
Hi @rossagrant, @r-a-y & @hkcharlie,
Thanks for the good question. So, there are three separate questions here that are slightly but significantly different, and often get merged into one.
First: ‘Can people upload malicious things?’
Yes. Say I have a file MyVirus.exe. I can rename it to MyVirus.exe.txt, and upload it to the site. Adding a MIME type check would help significantly, but it’s not foolproof, as the MIME type can also be spoofed. What it would do is take what I would call a “casual” malicious user out of the picture, as only more experienced and/or motivated malicious users are going to go through the trouble of spoofing MIME types. Although this sounds terrible, it’s not as bad as you might think, leading into the next question…
‘Will this cause any problems for my website/server?’
No. This is not much of an issue for several reasons. The main reason is that Apache doesn’t give uploaded files executable permission. So, even if a virus is uploaded, and a user clicks on it, the most likely scenario is that the user will see the source code (which may be a bunch of junk if it’s a binary file). Even if it was a file that the web server could process (like a PHP file or shell script), it still would just display the source.
‘Is this a hazard to my users?
Not Likely. Given the above scenario, Someone malicious would need to rename a file extension, upload it to the site, get people to download it, and get people to change the extension. So, if the user is really dumb, it’s possible. I’d like to think that someone that goes around downloading things and changing extensions from txt to exe would learn their lesson pretty quick.
I hope that helps. If someone is a security expert, I hope they might add more to the topic, but those are the risks to the best of my knowledge.
The OP mentions allowing upload of Word docs so they could contain Macro viruses, I would not be allowing Word docs to be uploaded unless they could be screened in some fashion.
@hnla If I stick to ONLY PDF then is that safe?
@rossagrant Unless someone merges virus to PDF, yes it’s safe
I get hoping mad when people send me Word files, I hate the presumption that I would have or want bloated MS software, other than the sadly necessary OS. pdf is in terms of this discussion a safe format, Word doc files are not getting uploaded to any server that I can exercise control of, nor – unless a trusted source – do I download Word docs; zips are not that safe either