Upload handlers must validate MIME types, enforce extension allow-lists, limit file size, and store files outside webroot. Attackers often upload PHP shells disguised as images. Files should be re-encoded where possible and named randomly to avoid collisions.
File uploads are a common target for attackers. If an upload form accepts any file type without checks, attackers may upload a PHP shell disguised as an image. Once uploaded, they can execute commands, steal data, or take over the entire server.
Secure upload handling means validating MIME type, checking extensions, limiting file size, and storing files outside the webroot. Randomizing file names and re-encoding images add more protection. With these controls, uploaded files cannot be used as an entry point for attacks.
# Review custom upload handlers
grep -R "move_uploaded_file" app/code
# Check if:
# - MIME type is validated
# - File extension is validated
# - File size is limited
# - Storage is outside pub/ when possiblepub/ or use generated random names to prevent direct access.// Unsafe: saves file with original name in pub/
move_uploaded_file($_FILES['file']['tmp_name'], 'pub/uploads/' . $_FILES['file']['name']);// Safe: validates type and renames
$allowed = ['image/jpeg','image/png'];
$type = mime_content_type($_FILES['file']['tmp_name']);
if (in_array($type, $allowed, true)) {
$newName = bin2hex(random_bytes(8)) . '.jpg';
move_uploaded_file($_FILES['file']['tmp_name'], '/var/uploads/' . $newName);
} else {
throw new Exception("Invalid file type");
}