PDF upload

Question

User279777510 posted

May I request some advice please.

I've been asked to create a website that will allow unauthorised/unknown users to apply for an account.  Prior to be being approved for an account, they are required to submit some supporting documents in PDF form as part of the registration form.

Do I want to allow an unknown user to submit anything to the site?

Any documents they upload would potentially contain their information - do they want to be loading it?

I would rename the file as it is uploaded and remove it from the initial upload location as soon as they submit their request.

Is there a better way of doing this?

Thanks

 

Answer 1

User-821857111 posted

Presumably, if someone wants an account, they will have to provide some personally identifying information, such as their name as part of the submission process, before they are approved. If you asked for more private information from someone before they get approved, they will make a judgement as to whether to share it with the web site or not. I'm not sure I understand what your doubt is about.

Answer 2

User279777510 posted

The applicant will be unauthorised and unknown to me, at the time of application.  They will be asked to submit company details and a number of PDF files that support their application for a user account.

At this point I'm worried about allowing people to upload onto my server.  I'll need to give write permissions to the web user to a folder.  If I grant write permissions only, then that should stop anyone accessing the other files?

My application can use javascript/regular expression/server side code to limit the upload to be PDF files only. 

However can anyone outside of my application now get access to that folder?  Am I opening up a method of attack?  I can stop the user having read/execute as mentioned but presumably anyone could load something on there that gets run later by one of my office users with permissions. 

I am worrying needlessly?  Potentially an authorised user could load something equally unpleasant later in the process.

Obviously the server will be running some security software and I thought that any files not part of a valid application would be removed regularly by a scheduled task.

Is it a good idea to request files from an unauthorised user?

Answer 3

User1428246847 posted

MushroomBill

At this point I'm worried about allowing people to upload onto my server.  I'll need to give write permissions to the web user to a folder.  If I grant write permissions only, then that should stop anyone accessing the other files?

Place the applicant's files in the App_Data folder; it's not accessible from a browser. Only your application and people with direct access to the server will be able to use them.

You can e.g. use Mike's code ( http://www.mikesdotnetting.com/Article/122/Simple-File-Download-Protection-with-ASP.NET ) to access (download) them using your application.

Answer 4

User-821857111 posted

My application can use javascript/regular expression/server side code to limit the upload to be PDF files only. 

Server-side validation is the most important part. 

Is it a good idea to request files from an unauthorised user?

IF

Is it a good idea to request files from an unauthorised user?

If you need them as part of your business process, then you need them. Validate the file type using server side code and save them to a folder outside of the root of the site (or App_Data as in my article that Wim linked to). You can configure an AV solution to scan the folder if you like. No one else will have access to the folder - except people who have direct access to the server's file system.

Answer 5

User279777510 posted

Many thanks for taking the time to reply... Much appreciated.

Answer 6

User1777983149 posted

1st step validation for pdf

2nd upload file in binary formate in database 

3rd retrieve file and save files as per your convinate  location

more information visit to http://pramodraising.blogspot.in