Enable file uploads for a webEOS site¶

Important security considerations¶

Special care is required when designing a web site with file upload functionality (or more generally, any functionality that results in writing data to a file).

Warning

If a web site allows public file uploads from Internet, it must not make the uploaded files publicly readable or disclose whether a given file is already present. (As this could allow distribution of inappropriate, copyrighted or malicious material)

Even for non-public web sites behind SSO, setting up a WebEOS site with functionality that writes to files or folders causes security concerns. Please follow carefully the recommendations in this page to minimize the security risks associated with write functionality.

Setting up writable folders on EOS (not recommended)¶

Warning

This solution is highly discouraged for security reasons. It aims at minimizing risks associated with a web site writing to EOS but cannot eliminate them. It must only be considered to preserve the functionality of existing Official websites (not Personal). Whenever possible, upload files via CernBox or move to PaaS.

In exceptional cases when CernBox cannot be used to upload folders such as upstream applications with integrated upload function and applications using file-based databases, there are a few guidelines that should be followed:

Select an EOS upload folder: It is required that the folder that the files are stored is outside of the root folder of your site. For example, if the root folder of your site is /eos/project/<initial>/project_name/www, the upload folder could be set to /eos/project/<initial>/project_name/upload_folder.
Grant the web servers writable access to the EOS upload folder: in general, this means sharing the EOS upload folder (e.g. /eos/project/<initial>/project_name/upload_folder) with account a:wwweos (notice the prefix a) as Editor from CERNBox: see how to share a personal EOS folder or a project EOS folder. If share properties of the folder are not accessible from CERNBox (e.g. folders in an Experiment's EOS instance), set the permission using EOS command line interface: in this case, the appropriate folder ACL is u:wwweos:rwx+d.
Enable the setting Use .htaccess files in the section Site Access of the webEOS site management screen.
Create .htaccess: Disable directory indexes and script exection using .htaccess. The following .htaccess must be placed in the upload folder (e.g. /eos/project/<initial>/project_name/upload_folder):

# Don't list directory contents
IndexIgnore *

# Disable script execution
SetHandler None

# Disable directory indexes
Options -Indexes -ExecCGI

Create an subfolder in the upload folder and upload files in the that folder. For example, if the upload folder is /eos/project/<initial>/project_name/upload_folder, upload the actual files in /eos/project/<initial>/project_name/upload_folder/files to avoid the possibility of overwriting the .htaccess.
Develop functions to validate the uploaded file and ensure that only expected files are being uploaded. Verify that the following properties for the file that is uploaded by the user are met:
Check for type of file upload and deny uploading files with other files than the expected ones (e.g. upload only images).
Never upload an .htaccess file.
Limit file size.

An example of how the EOS directory structure should look like:

eos/project/<initial>/project_name/
└───upload_folder
│   │   .htaccess (see step 3)
│   │
│   └───files (users' files)
│       │   image1.png
│       │   ...
│
└───www (root folder - site's content)
    │   index.php
    |   ...

Enable file uploads for a webEOS site¶

Important security considerations¶

Recommended solutions¶

Upload files via CernBox¶

Deploy applications with file upload functionality to PaaS instead¶

Setting up writable folders on EOS (not recommended)¶