Security considerations when allowing document uploads

I have a web application that allows users to upload certain documents relevant to their account (word/excel/powerpoint etc). I'm building this with CodeIgniter and I just wanted to check that I'm not missing anything security wise.

• MIME types of the file are checked
• Maximum size is checked
• The filename is hashed
• The filename is never seen by any user rather when clicking a "download" link, the safedownload controller is called with an ID ( http://www.example.com/safedownload/1245/ )

Is there anything I'm missing? The CHMOD of the files in the directory i开发者_高级运维s currently set to 0600, is that secure?

Thanks.

Have you considered the way the files are accessed later? There is a common flaw you should be aware of-

If the filepath can be manipulated in any way, it is possible that your server could be accessed, completely outside the folder you store the documents in- for instance ../../../etc/somefile

To protect against this, you could check the filepath that is about to be accessed for '..' to be sure noone has found a way to to get those characters in the command your code executes!