Hi Manny,
The user can certainly upload a file with a virus etc in it, but you
have to ask some more relevant questions to ascertain the risk:
1. Are all the users public? If so do you really want them uploading
files? If not, what is the potential of your users having virus ridden
files that are being uploaded firstly accidentally and secondly
maliciously.
2. Can you lock the file types or mime types down to restrict certain
types of document. Obviously things like word docs, Exes etc should all
be pretty much on the hit list for non-allowable files to be uploaded -
especially if all you want are image/jpeg for example.
IE doesn't support mime type locking but on the server side you can
intercept the mime type and reject it if it is not one you allow.
3a. Most viruses aren't a problem until you execute the file - this is
why everyone is told by even the virus companies "don't open a file /
email from someone you don't know or weren't expecting" - regardless of
your virus definitions being up to date, there is always a lag time
before new viruses are detectable - but so long as you don't open a
file and execute whatever is embedded within it then it won't run and
shouldn't cause any problem.
3b. Does it make sense then to "quarantine" files for a period of time
whilst you can manually or automatically run a sweep over the file to
ensure there are no greeblies in it.
4. Depending on processor overhead it could make sense to have a "magic
bucket" where files are held and then run a script on this that detects
when a new one is added and it is then scanned. If the scan proceeds
and clean bill of health is given then it can be moved to another
folder.
For one of our clients we only allow registered users to upload and we
lock the mime types to certain file types only. We also enforce a
"magic bucket" quarantine system which sometimes means documents are
not immediately available but protects the system as well.
Cheers
AndrewF
