Question about uploading form!

[Snooble]

Hey,

 

I've a quick question.. here's my upload form:

<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="checkupload.php" method="POST">
   <!-- MAX_FILE_SIZE must precede the file input field -->
   <input type="hidden" name="MAX_FILE_SIZE" value="104857600" />
   <!-- Name of input element determines name in $_FILES array -->
   Send this file: <input name="userfile" type="file" />
   <input type="submit" value="Send File" />
</form>

 

And heres the checkupload.php:

 

<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
$size = $_FILES['userfile']['size']/ 1024 / 1024;
$size = round($size, 2);

   echo "Successful Upload.\n $size MB";
} else {
   echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";

?>

 

When i try to upload a file called "Snooble's Game.mp3" The saved file is named "s Game.mp3"

 

So i need to escape the ' 's? how!?!? Thanks

 

Snoobs

[gevans]

i'd recommend stripping out the apostrophe

 

filenames would usually only have a-z and 0-9!!

 

you might consider renaming the file on upload!!

[Snooble]

How can i strip out the apostrophes? thank you

 

Snoobs

[gevans]

 

$foo = "Snooble's Game.mp3";

$foo = str_replace("'","",$foo);

 

But this will leave you with "Snoobles Game.mp3"

 

I wouldn't want filenames using spaces on my server!

[Snooble]

Why would you not allow spaces? should i strip everything harmful.. such as <>-'";:#[]{} etc. just leave _?

 

plus, would the file be uploaded before the page goes to checkupload.php? or is it safe to have the error checking on the checkupload.php page?

 

Thanks people !

 

Snoobs

[gevans]

You should validate the file before uploading!

 

Also I'd strongly recommend renaming the file rather than trying to strip out everything harmful

[Snooble]

ok... how can i validate it? and how would i rename it? I want it to be named when it's downloaded though... ideas?

 

Thanks, Snooble

[gevans]

if you take a look at this link you can see a secure upload.

 

The filesize and extension is validated. Also it is re-named. These things are all very important with file uploads

[MadTechie]

When i try to upload a file called "Snooble's Game.mp3" The saved file is named "s Game.mp3"

 

So i need to escape the ' 's? how!?!? Thanks

 

Snoobs

 

Where is the filename being stored? as the upload routine you have is fine..

can you  post the part that stores the data..

 

as for filtering you should check the file type..

[Snooble]

right so after reading the artical. I've changed the checking process... Now looks like this!:

 

<?php
//Сheck that we have a file
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) {
  //Check if the file is JPEG image and it's size is less than 350Kb
  $name = basename($_FILES['uploaded_file']['name']);
  $filename = str_replace("'","",$name);
  $ext = substr($filename, strrpos($filename, '.') + 1);
  if (($ext == "mp3") && ($_FILES["uploaded_file"]["type"] == "audio/mpeg") && 
    ($_FILES["uploaded_file"]["size"] < 104857600)) {
    //Determine the path to which we want to save this file
      $newname = dirname(__FILE__).'/uploads/'.$filename;
      //Check if the file with the same name is already exists on the server
      if (!file_exists($newname)) {
        //Attempt to move the uploaded file to it's new place
        if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
           echo "It's done! The file has been saved as: ".$newname;
        } else {
           echo "Error: A problem occurred during file upload!";
        }
      } else {
         echo "Error: File ".$filename." already exists".$_FILES['uploaded_file']['name']."";
      }
  } else {
     echo "Error: Only .mp3 songs under 100MB are accepted for upload";
  }
} else {
echo "Error: No file uploaded";
}
?>

 

BUT! I'm still getting issues with the filename! It still only displays AFTER the apostrophe.

 

I tried echoing out $_FILES['uploaded_file']['name']. And i get "s Game.mp3"!

 

PLEASE HELP!

 

Snoobs

[premiso]

I would dissallow fileupload with the ' or / or ? or " etc. That can cause major issues and is a security flaw.

 

Either that or remove them when you do the move_uploaded_file . If not you may not be able to delete the file and as said before someone could exploit your server with that.

[Snooble]

What I'm saying is that the file's name that gets sent from:

 

<form enctype="multipart/form-data" action="checkupload.php" method="POST">
   <!-- MAX_FILE_SIZE must precede the file input field -->
   <input type="hidden" name="MAX_FILE_SIZE" value="104857600" />
   <!-- Name of input element determines name in $_FILES array -->
   Send this file: <input name="uploaded_file" type="file" />
   <input type="submit" value="Send File" />
</form>

 

Isn't the full title! I need it to be sent as a full title. How can I get the full filename sent to checkupload.php? Because then i can strip the invalid characters before upload.

 

Thanks

 

Snoobs

[MadTechie]

premiso: would you like to explain these "major issues and is a security flaw"

Snooble: please read my last post

[Snooble]

MadTechie : I do not understand what you mean.. Refer to the "checkupload.php" form I uploaded! That uploads the file to my server. Or am I confused?

 

Thanks

 

Snoobs

[premiso]

premiso: would you like to explain these "major issues and is a security flaw"

Snooble: please read my last post

 

If you have a test server upload a few files with a ', ; " / \ ? > < and then attempt to delete them.

 

Chances are you cannot delete some of them. I am not exactly sure the way to exploit the server, it has been years since I was in that scene, but uploading a file named something like this  filename/filenamed/file/file.php  will create those folders etc. And if the php ext is allowed one could just goto that area and execute that php script to easily exploit that server.

 

If you really want to learn about the security flaws for allowing any file to be named anything you can find it online if you know where to go. I do not really want to go into much detail other than that cause that stuff is bad. I can probably go in more detail if you PM me, I just do not feel like feeding script kiddies ideas, ya know?

[MadTechie]

uploading a file named something like this  filename/filenamed/file/file.php  will create those folders etc.

Not if basename() is used,

 

And if the php ext is allowed one could just goto that area and execute that php script to easily exploit that server.

and i agree, but thats why filtering is needed..

 

While i agree that renaming can be a idea for security.. their are many options, but you must always keep in mind,.

how is the system going to deal with these uploads ??

 

 

Snooble:

First thing

You say the file is being displayed as

When i try to upload a file called "Snooble's Game.mp3" The saved file is named "s Game.mp3"

I assume this is the actual filename and not the filename stored in a database..

if this is true then your need to update the code a little, try this

 

<?php
//check that we have a file
if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0))
{
  //Check if the file is JPEG image and it's size is less than 350Kb
$name =(get_magic_quotes_gpc())?stripslashes($_FILES['uploaded_file']['name']):$_FILES['uploaded_file']['name'];
$filename = basename($name);
#$filename = str_replace("'","",$filename);
$ext = strtolower(substr($filename, strrpos($filename, '.') + 1));
if (($ext == "mp3") && ($_FILES["uploaded_file"]["type"] == "audio/mpeg") && 
	($_FILES["uploaded_file"]["size"] < 104857600)) {
    //Determine the path to which we want to save this file
      $newname = dirname(__FILE__).'/uploads/'.$filename;
      //Check if the file with the same name is already exists on the server
      if (!file_exists($newname)) {
        //Attempt to move the uploaded file to it's new place
        if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) {
           echo "It's done! The file has been saved as: ".$newname;
        } else {
           echo "Error: A problem occurred during file upload!";
        }
      } else {
         echo "Error: File ".$filename." already exists".$_FILES['uploaded_file']['name']."";
      }
  } else {
     echo "Error: Only .mp3 songs under 100MB are accepted for upload";
  }
} else {
echo "Error: No file uploaded";
}
?>

[premiso]

uploading a file named something like this   filename/filenamed/file/file.php   will create those folders etc.

Not if basename() is used,

 

And if the php ext is allowed one could just goto that area and execute that php script to easily exploit that server.

and i agree, but thats why filtering is needed..

 

While i agree that renaming can be a idea for security.. their are many options, but you must always keep in mind,.

how is the system going to deal with these uploads ??

 

Yea I just read the first post and missed the basename in the reply.

 

However, I would do a check to make sure that only numbers, (spaces maybe), periods and letters are allowed. As basename does not filter it, although it may not be a security deal it does some weird stuff when you cannot delete the file without going through the shell due to a ' etc.

 

But that is just me I guess. I am pretty paranoid when it comes to file uploads.

[Snooble]

directory transversal or something i believe. "../" Anyway. Thought you'd all know, but this was a bug in an earlier version of PHP. I updated my WAMP and now it sends the whole filename, so i just edit it as appropriate!

 

Thanks people!

 

Snoobs