File uploads, downloads and management

Last updated on

20 September 2016

Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites

[This section is a work in progress]

Advice in a Nutshell

Allowing users to manage files on your server is a potentially dangerous operation.

You need to make sure that users cannot

view arbitrary files.
delete arbitrary files.
overwrite 'critical' files.
upload and execute arbitrary files.
completely fill a device (or disk quota).

Note that "arbitrary" means "any file on the server". So, for example, if you limit them to files in the "files" directory then that is not arbitrary. But if the code for writing files allows the user to somehow affect the file path, then they could insert "../../" into the filename which will get it back out of the "files/" directory and into other directories on your server.

Help improve this page

Page status: No known problems

You can:

Log in, click Edit, and edit this page
Log in, click Discuss, update the Page status value, and suggest an improvement
Log in and create a Documentation issue with your suggestion

On this page

Writing secure code

File uploads, downloads and management

Advice in a Nutshell

Help improve this page

News items

Our community

Documentation

Drupal code base

Governance of community