The dangerous, exquisite art of safely handing user-uploaded files

Presented by Tom Eastman
Wednesday 3:40 p.m.–4:25 p.m.
Target audience: Developer

Abstract

Every web application has an attack surface -- the exposed points of interaction where a malicious or mischievous user can commit malice, or mischief (respectively). Possibly nowhere, however, is more vulnerable than places a user is allowed to upload arbitrary files.

The scope for abuse is eye-widening: The contents of the file, the type of the file, the size and encoding of the file, even the name of the file can be a potent vector for attacking your system.

The scariest part? Even the best and most secure web-frameworks can't protect you from all of it.

In this talk, I'll show you every scary thing I know about that can be done with a file upload, and how to protect yourself from -- hopefully -- most of them.

Presented by

Tom Eastman

twitter

Tom is an open source technologist, Python developer, trainer, devops/security consultant, and senior software systems engineer at Koordinates Limited. He believes your two crucial metrics for measuring code-quality should be (a) "Will the person who inherits my code be glad that I wrote it this way?" and (b) "Will the person who attacks my code be annoyed that I wrote it this way?"

Sponsors

We thank our Emperor Penguin sponsors for their generous contribution to linux.conf.au 2017.

Other Sponsors

©2016 Linux Australia and linux.conf.au 2017. Linux is a registered trademark of Linus Torvalds. Site design by Takeflight. Image credits can be found on our Colophon.