document upload

[Pickle]

hi everyone

 

can anyone tell me if there is a way of checking if the file being uploaded is definitely just a .doc, .docx or .pdf.

 

Apart from check the file extension are there any other checks you can do?

 

thanks

[Alex]

$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
finfo_close($finfo);

$mime will then contain the mime file type (ie. application/msword for .doc) To see what the other mime types for the other file types you want to allow here's a reference: http://www.w3schools.com/media/media_mimeref.asp

[Pickle]

great! thank you really appreciate it

[Pickle]

hi

 

am i right in saying this a PEAR module? is there any other way of doing this?

[mikesta707]

Using a mime type is not the best option because some browsers don't send a mime type, and it can be spoofed pretty easily.

you can make an array of allowed file types, and get the file extension, and compare that to the array like so

$allowed_types = array("doc", "docx", "pdf");
$ext = substr(strrchr($fileName, '.'), 1);//fileName is the name of the file;

if (!in_array($ext, $allowed_types)){
echo "Invalid file type";
exit();
}

[Pickle]

hi mikesta707

 

yeah im already doing that i just want to make sure that no one is going to change the extension and be able to upload anything they want. just basing it on the extension isnt really that secure is it?

 

 

[mikesta707]

if its not the correct extension, how do you suggest that the file would be run? Also, you can change the mime type just as easily as you can change the file extension (well maybe its a little harder) not to mention that not every browser sends a mime type, and some send different mime types. For example, jpg files have 3 different possible mime types. I don't think IE 6 even sends a mime type. a virus.exe with a spoofed mime type is much more dangerous than a virus.jpg with a spoofed file extension in my opinion. Im no security expert, but i have read many discussions about mime types, and how they can be exploited

[TeNDoLLA]

if its not the correct extension, how do you suggest that the file would be run? Also, you can change the mime type just as easily as you can change the file extension (well maybe its a little harder) not to mention that not every browser sends a mime type, and some send different mime types. For example, jpg files have 3 different possible mime types. I don't think IE 6 even sends a mime type. a virus.exe with a spoofed mime type is much more dangerous than a virus.jpg with a spoofed file extension in my opinion. Im no security expert, but i have read many discussions about mime types, and how they can be exploited

 

Very true, mime type cannot be trusted. Probably the best bet is to check the extension as mentioned.

[Pickle]

really?! that surprises me. hmm ok so what im doing at the minute is good then. or ok but not enough?

[TeNDoLLA]

Yes, as mike said mime can be changed to whatever and all browsers does not send it right or at all. Best would be checking extension. Still this can be also changed to whatever but your still kind of safe, because for example php won't compile files with .jpg extension even if the file content was not a picture.

 

What would be better than checking the extension? Probably checking and validating also the contents of the file. But that will be much much harder to do and also would probably cause a lot of extra load to the server. I don't know if there is even any libraries or apps that will do this with php.

[Pickle]

if its not the correct extension, how do you suggest that the file would be run?

 

php won't compile files with .jpg extension even if the file content was not a picture.

 

i got the impression that if the script is not totally secure then malicious files could be uploaded with a different (allowed) file extension and then once on the server, could be changed to .php or .exe or whatever it is to then run. is that kind of impossible? anythings possible ey?

[knsito]

This doesnt help with Docs but if you know you are getting images you can check them again with exif_imagetype or getimagesize

 

And to help secure upload directories use .htaccess and something like this

 

# Don't list contents
IndexIgnore *
Options All -Indexes
# Secure directory by disabling script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI
# Don't show this file
<Files .htaccess>
order allow,deny
deny from all
</Files>

 

I once dropped a php file in one of my protected directories to help do some file parsing but I was getting a 404/405(?) error trying to run it.. I was getting really pissed until I remembered that this .htaccess was there :|