What file types should I ban in a file upload?

[xenoalien]

I know that I need to ban php files and some others. What other file extentions should I ban for security reasons? Here is my code:

 

                   $ext = substr($name, strrpos($name, '.') + 1);


                   if($size > 260000000000 ||
                   $ext == 'php'||$ext == 'html'||
                   $ext == 'htm'||$ext == 'ajax'||
                   $ext == 'js'||$ext == 'bat'||
                   $ext == 'asp'||$ext == 'aspx'||
                   $ext == 'mspx'||
                   $ext == 'exe')
                   {
                      echo "File format $ext is not allowed or is greater than 250mb!";
                   }

[Brian W]

first of all, a better way (imo) to do that is that have

$banned = array("html", "ajax", "bat", "aspx", "mspx", "php", "htm", "js", "asp", "exe");
if($size > 260000000000 || in_array($ext, $banned))
                   {

Also, using "these extensions are not allowed" vs "only these extensions are allowed" is easier but not as safe. Your question, though simple, is very difficult to answer. What security does your server have? what OS? what server? ect

if you know what kind of files will be uploaded, you should simply only allow for those types, that way no one sneaks in a curve ball on you that no one thought of.

[xenoalien]

Nice code! Anyhow, I am making a website for people to back up their files. Making a list of accepted files would be a good idea. If a file type is not on the list then I should tell them to archive it or something RAR it or ZIP it?

[Yacoby]

When I wrote a file upload site, I didn't allow anything external to access  the directory where the files were stored, and just server the files via a php file by setting the headers and outputting the file.

You could upload whatever, but it would never be executed in any way by the server.

 

There must be better ways of doing what I did, but IMHO it was a better solution than banning file types.

[Brian W]

hell, I would tell them to archive it in the first place and only except zipped files... for two reasons: they take up a little less room (assuming they used compression) and also you will not have to deal with as many files and the complication of various file types.

 

Just curious: Are you offering this service to the public or to friends? Will this be free or will there be charges?

[xenoalien]

Its a scholarship project. I plan on it making public and putting some kind of web advertising to make money from it later. But that is after I look into some more security. Do you know if I can put adsense in an account area by chance? But yeah, the project is mainly for a scholarship I am working on and yes it is a free service for now.

 

I have the registration and login setup check it out if you are interested: http://www.storeupon.com

[DEVILofDARKNESS]

Hey, xenoalien,

 

Can I see how your uploadscript is build?

I have problems with mine.

 

Or is it to "insecure" to show it

[xenoalien]

Hey, xenoalien,

 

Can I see how your uploadscript is build?

I have problems with mine.

 

Or is it to "insecure" to show it

 

Show me your script and tell me what you want it to do... I have been working on this project for a day and a half now... I don't want to give any code away unless it is a small snippit aight?

 

Maybe this is what you want?

 

if($_POST['submit'])
              {
                 $name = $_FILES['myfile']['name'];
                 $type = $_FILES['myfile']['type'];
                 $size = $_FILES['myfile']['size'];
                 $temp = $_FILES['myfile']['tmp_name'];
                 $error = $_FILES['myfile']['error'];
                 //now handle and check for errors
                 if($error > 0)
                 {die("Error uploading file! Code $error.");}
                 else
                 {
                   //deturming the extention of the file!
                   $ext = substr($name, strrpos($name, '.') + 1);


                   $banned = array("html", "ajax", "bat", "aspx", "mspx", "php", "htm", "js", "asp", "exe");
                   if($size > 260000000000 || in_array($ext, $banned))
                   {
                      echo "File format $ext is not allowed or is greater than 250mb!";
                   }
                   else
                   {
                     //change file size to mb
                     $size = $size/1024/1024;
                     //Display the file information
                     echo "<h2>File upload success!</h2>
                     <table width='100%' bgcolor='#00cc33'>
                     <tr>
                     <td><font size='2' face='arial'>Name</td><td>".$name."</td>
                     </tr>
                     <tr>
                     <td><font size='2' face='arial'>Type</td><td>".$type."</td>
                     </tr>
                     <tr>
                     <td><font size='2' face='arial'>Size</td><td>".$size."mb</td>
                     </tr>
                     </table>
                     <p>Your file has been backed up onto our server and you can go to the main
                     page to view your files. To upload another file, repeat the process.
                     ";
                  //now store the file
                    move_uploaded_file($temp,"uploaded/".$name);
                    //now store the directory onto the database table called files
                   }
                   
                   }
              }

[PFMaBiSmAd]

Just because you have registration and login, does not stop anyone form registering and the uploading a script which they then browse to and take over your site.

 

You must prevent execution of code and the best way of dong that is preventing direct browser access to the location where the files are stored.

 

You must also insure that the location where files are stored is completely specified by your script and only uses the base part of the supplied file name (or even go so far as to generate internal file names yourself and only store the supplied file name in a database) so that directory transversal using ../../../ is prevented.

[DEVILofDARKNESS]

 

 

<?php // In welke map komen de bestanden ? ( zorg dat deze de permissies 777 krijgt )
$map = "/";

// Wat is de maximale groote van het bestand in bytes ( 1 kb = 1000 bytes )
$max = "100000"; 

// Welke extensies kunnen er worden geupload ( als alles mag dan niks invullen )
$ext = "jpg JPG gif GIF png PNG bmp BMP"; 

// Hieronder niks aanpassen

// Controleren

if ($_POST['Uploaden'])
{ 
    if (!$_FILES['bestand']) 
        print ("Geef een bestand op!");
    else
    { 
        // Bestands naam opvragen
        $bestand2 = explode("\\", $_FILES['bestand']['name']); 
        $laatste = count($bestand2) - 1; 
        $bestand2 = "$bestand2[$laatste]";   
       
        // Extensie van bestand opvragen
        $bestand3 = explode(".", $bestand2); 
        $laatste = count($bestand3) - 1; 
        $bestand3 = "$bestand3[$laatste]";   
        $bestand3 = strtolower($bestand3); 
       
        // Toegestaande extensies opvragen
       
        $ext = strtolower($ext); 
        $ext = explode(" ", $ext); 
        $aantal = count($ext); 
       
        for ($tel = 0;$tel < $aantal; $tel++)
        { 
            if ($bestand3 == $ext[$tel])
            { 
                $extfout = "nee"; 
            }
        } 
   
        if (!$extfout)
        { 
            print ("Het bestand \"$bestand2\" kan niet worden geupload omdat de extensie niet is toegestaan!"); 
        } 
        else 
        { 
            if ($_FILES['bestand']['size'] > $max) 
                print ("Het bestand \"$bestand2\" is groter dan $max bytes!"); 
            else 
            { 
                // Opslaan van het bestand
                move_uploaded_file($_FILES['bestand'], "$map$bestand2");   
                print ("Het bestand \"$bestand2\" is met succes geupload!"); 
            } 
        }
    }
} 


// Upload formulier
$title = "PICTURES";
$text = ("<form method=post action=" . $_SERVER['PHP_SELF'] . " enctype=multipart/form-data>
Bestand: <input type=\"file\" name=\"bestand\"><br><br>
<input type=\"submit\" name=\"Uploaden\" value=\"Uploaden\"></form>");  ?>

 

It does nothing :-( except you can choose a file and click on upload, but if I look in the dir, There isn't any file :-s

[DEVILofDARKNESS]

btw, On one of my other sites, I use a system that they only may enter a link to a site where the image is located,

ofcourse much safer, but on this one, they should also be able to upload movies and songs.

 

it's for a class project, and only my clasmates can upload something and they don't know A thing about programming so I don't think I should worry

[PFMaBiSmAd]

DEVILofDARKNESS, don't hijack an active thread to get help with your problems. Start your own thread.

[xenoalien]

Just because you have registration and login, does not stop anyone form registering and the uploading a script which they then browse to and take over your site.

 

You must prevent execution of code and the best way of dong that is preventing direct browser access to the location where the files are stored.

 

You must also insure that the location where files are stored is completely specified by your script and only uses the base part of the supplied file name (or even go so far as to generate internal file names yourself and only store the supplied file name in a database) so that directory transversal using ../../../ is prevented.

 

Okay help me with this. The files are stored in storeupon.com/uploaded. How do I prevent direct browser access? Should I put an index file in there so that the files do not show up? I plan on puting the file directories in a file table where after the user logs in, the database will be queryed for table rows with the username of the user and the directory so that only the user's files will be displayed.

[Brian W]

When I wrote a file upload site, I didn't allow anything external to access  the directory where the files were stored, and just server the files via a php file by setting the headers and outputting the file.

You could upload whatever, but it would never be executed in any way by the server.

This is also good because it will not allow people to grab files that aren't theirs.

Also, remember that when you get several people uploading files, even if just single archive files, you may run into naming conflicts. For example: Joe uploads "backup.zip" and John uploads "backup.zip"... BAM!

I'd suggest renaming the files to something like $username.time().".".$extention

which would look something like this "Joe1238173249.zip"

 

*adsence, I believe, will work almost anywhere.

 

PFMaBiSmAd makes a strong, good point. If you are using Apache, use a .htaccess and block access to the folder from outside the server. If you are running IIS or other servers, look into their directory security features.

 

edit: fixed word

[DEVILofDARKNESS]

DEVILofDARKNESS, don't hijack an active thread to get help with your problems. Start your own thread.

  Sorry if I say so,

but I have a thread since last week, and nobody answered me,

Xenoalien just asks one thing and everybody answers.

[xenoalien]

When I wrote a file upload site, I didn't allow anything external to access  the directory where the files were stored, and just server the files via a php file by setting the headers and outputting the file.

You could upload whatever, but it would never be executed in any way by the server.

This is also good because it will not allow people to grab files that aren't theirs.

Also, remember that when you get several people uploading files, even if just single archive files, you may run into naming conflicts. For example: Joe uploads "backup.zip" and John uploads "backup.zip"... BAM!

I'd suggest renaming the files to something like $username.time().".".$extention

which would look something like this "Joe1238173249.zip"

 

absence, I believe, will work almost anywhere.

 

PFMaBiSmAd makes a strong, good point. If you are using Apache, use a .htaccess and block access to the folder from outside the server. If you are running IIS or other servers, look into their directory security features.

 

Ahhh... thank you! I was thinking about using some kind of random number gen then a hash and put it in a loop to keep comparing it with other file names in the database table to make sure that it was not used yet but your way is the easiest way for now.

[Brian W]

DEVILofDARKNESS, don't hijack an active thread to get help with your problems. Start your own thread.

  Sorry if I say so,

but I have a thread since last week, and nobody answered me,

Xenoalien just asks one thing and everybody answers.

I don't know why people wouldn't answer your question that day... there are several reasons why some posts don't get answered including: question was asked wrong or in a manner unreadable, the question was to difficult (unlikely for the particular subject), or you posted on a day or at a time of day in which our most active members weren't active.