Update 15-August-2013: Added several new file extensions and php_flag engine off to the recommended web server configuration.

Review Board allows any type of file to be uploaded, and with that can come some risks, depending on how you have installed Review Board, and where.

Uploaded files are served by your web server, and if not set up correctly, your web server could end up processing the file. For certain file types, the web browser may process it as well. This is just the nature of serving files over a website.

There are some things you can do to lock down file attachments on your server.

Configuring your web server

The first thing to do is configure your web server to limit what's allowed for uploaded file attachments. What you'll be doing is disallowing any overrides to your configuration, disabling any server-side processing, and hinting to the browser to render certain files as plain text.

If you're using an Apache-based installation initially generated before Review Board 1.7.12, add the following to your Apache configuration:

<Location "/media/uploaded">
  SetHandler None
  Options None

  AddType text/plain .html .htm .shtml .php .php3 .php4 .php5 .phps .asp
  AddType text/plain .pl .py .fcgi .cgi .phtml .phtm .pht .jsp .sh .rb

  <IfModule mod_php5.c>
    php_flag engine off
  </IfModule>
</Location>

If you're instead using Nginx to serve your media, you'll want a rule like: 

location /media/uploaded/ {
  ...

  location ~ \.([sp]?html?|php\d?|phtm?|phps|pl|py|f?cgi|jsp|sh|rb) {
    types { }
    default_type text/plain;
  }
} 

 Substitute the correct paths for your installation above.

It's important to note that the above rules do not guarantee that a browser won't try to interpret the files anyway. Older versions of Internet Explorer in particular attempt to "sniff" the file for HTML and display it anyway.

Why is this a problem? Browsing to an arbitrary uploaded HTML file can end up executing JavaScript within the domain of your Review Board server, calling into APIs on the user's behalf, and accessing their session cookies.

Disable unnecessary Apache modules

If you're using Apache, it's best to disable any modules you do not need. In particular, modules like mod_php5 or mod_ruby are best to disable, to reduce any further risk of code injection.

Using separate domains for uploaded media

The safest way to ensure that uploaded HTML won't be able to access user sessions is to keep it off your domain. You can do this by creating a new domain or subdomain specifically for uploaded media.

Your subdomain must not be a subdomain of the one used for your Review Board server. Ideally, the entire domain itself should be different, but this isn't always possible.

As an example, say Review Board is installed on reviewboard.example.com. good subdomain would be rbmedia.example.com. A bad subdomain would be media.reviewboard.example.com.

Once you have a subdomain picked, and your web server properly serving up all your media files from that subdomain, you need to tell Review Board to use it. You can do this by going into the Administration UI -> General Settings and changing your Media URL to point to your new subdomain.

Or use a CDN

Another option is to use a CDN for your uploaded media. Using a CDN will not only give you a nice separation between your uploaded files and Review Board, but it'll also deliver those files to your users much faster (assuming you're using a good CDN and your users aren't centrally located). This is a good option for public servers.

Amazon S3

Review Board supports uploading all file attachments to Amazon S3. For this, you'll need an Amazon Web Services account, and S3 bucket, Amazon's boto Python module, and django-storages. See our documentation on configuring Amazon S3 with Review Board.

(Note that if you're running Review Board 1.7.11 or older, you will need boto 2.9.6 and django-storages 1.1.3.)

Amazon CloudFront

If you don't want to use S3, you can use a service like Amazon CloudFront instead. CloudFront is like S3, except that your files continue to upload to your existing server, but will be accessed through CloudFront node servers, through separate domains.

To configure CloudFront:

  1. Sign up for Amazon Web Services and go to your CloudFront management panel.
  2. Click "Create Distribution."
  3. Choose the "Download" delivery method.
  4. Set "Origin Domain Name" to be the domain your Review Board server is on (reviewboard.example.com).
  5. Keep all other options as the default values if you like and then click "Create Distribution." This will take some time to create, so check back periodically.
  6. In Review Board, change your "Media URL" to "http://cloudfront-domain/media/", where "cloudfront-domain" is the domain name shown for your new CloudFront distribution.

At this point, you should be set, and all uploaded media should be accessed from the CloudFront domain.

Stay up-to-date with Review Board releases

Newer releases of Review Board may contain important security fixes for file attachments. We recommend always staying up-to-date with the latest supported releases.

You can subscribe to our announcements list to be notified whenever there's a new release.