Jump to content

Recommended Posts

$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
finfo_close($finfo);

$mime will then contain the mime file type (ie. application/msword for .doc) To see what the other mime types for the other file types you want to allow here's a reference: http://www.w3schools.com/media/media_mimeref.asp

Link to comment
https://forums.phpfreaks.com/topic/175511-document-upload/#findComment-924816
Share on other sites

Using a mime type is not the best option because some browsers don't send a mime type, and it can be spoofed pretty easily.

you can make an array of allowed file types, and get the file extension, and compare that to the array like so

$allowed_types = array("doc", "docx", "pdf");
$ext = substr(strrchr($fileName, '.'), 1);//fileName is the name of the file;

if (!in_array($ext, $allowed_types)){
echo "Invalid file type";
exit();
}

Link to comment
https://forums.phpfreaks.com/topic/175511-document-upload/#findComment-924923
Share on other sites

if its not the correct extension, how do you suggest that the file would be run? Also, you can change the mime type just as easily as you can change the file extension (well maybe its a little harder) not to mention that not every browser sends a mime type, and some send different mime types. For example, jpg files have 3 different possible mime types. I don't think IE 6 even sends a mime type. a virus.exe with a spoofed mime type is much more dangerous than a virus.jpg with a spoofed file extension in my opinion. Im no security expert, but i have read many discussions about mime types, and how they can be exploited

Link to comment
https://forums.phpfreaks.com/topic/175511-document-upload/#findComment-924945
Share on other sites

if its not the correct extension, how do you suggest that the file would be run? Also, you can change the mime type just as easily as you can change the file extension (well maybe its a little harder) not to mention that not every browser sends a mime type, and some send different mime types. For example, jpg files have 3 different possible mime types. I don't think IE 6 even sends a mime type. a virus.exe with a spoofed mime type is much more dangerous than a virus.jpg with a spoofed file extension in my opinion. Im no security expert, but i have read many discussions about mime types, and how they can be exploited

 

Very true, mime type cannot be trusted. Probably the best bet is to check the extension as mentioned.

Link to comment
https://forums.phpfreaks.com/topic/175511-document-upload/#findComment-924948
Share on other sites

Yes, as mike said mime can be changed to whatever and all browsers does not send it right or at all. Best would be checking extension. Still this can be also changed to whatever but your still kind of safe, because for example php won't compile files with .jpg extension even if the file content was not a picture.

 

What would be better than checking the extension? Probably checking and validating also the contents of the file. But that will be much much harder to do and also would probably cause a lot of extra load to the server. I don't know if there is even any libraries or apps that will do this with php.

Link to comment
https://forums.phpfreaks.com/topic/175511-document-upload/#findComment-924962
Share on other sites

if its not the correct extension, how do you suggest that the file would be run?

 

php won't compile files with .jpg extension even if the file content was not a picture.

 

i got the impression that if the script is not totally secure then malicious files could be uploaded with a different (allowed) file extension and then once on the server, could be changed to .php or .exe or whatever it is to then run. is that kind of impossible? anythings possible ey?

Link to comment
https://forums.phpfreaks.com/topic/175511-document-upload/#findComment-925052
Share on other sites

This doesnt help with Docs but if you know you are getting images you can check them again with exif_imagetype or getimagesize

 

And to help secure upload directories use .htaccess and something like this

 

# Don't list contents
IndexIgnore *
Options All -Indexes
# Secure directory by disabling script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI
# Don't show this file
<Files .htaccess>
order allow,deny
deny from all
</Files>

 

I once dropped a php file in one of my protected directories to help do some file parsing but I was getting a 404/405(?) error trying to run it.. I was getting really pissed until I remembered that this .htaccess was there :|

 

Link to comment
https://forums.phpfreaks.com/topic/175511-document-upload/#findComment-925072
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.