If you have a file upload facility within your website then
it is critical to perform a check on the types of files that may be uploaded. This
is especially critical if the uploaded content is going to be saved to a folder
that is accessible via the web. This is because an uploaded file type could be
executed on the server by a user who makes a standard browser request for the
file once it has been uploaded.
Although it is essential to black-list certain file types
(such as .asp, .aspx, and if your server supports it, .php), a safer
alternative is to provide a white-list of specific file types that can be
uploaded (such as .jpg, .gif and .png for an image upload facility). It is
also worthwhile including a maximum file size that can be uploaded - most file
uploading server components allow such a limit to be set.
If you are intending to use uploaded files (such as resumes
submitted by candidates using a job vacancies site for example) then it is also
a good idea to implement a virus checking facility before the content reaches a
business processes that make use of the uploaded file.