Jump to content

Upload secruity problems

thenewperson

By thenewperson
in PHP Coding Help

 Share

Recommended Posts

oni-kun Member

oni-kun

Posted
Posted

Well really as long as you check mimetypes, place the file in a random secure location (watching for collision and make 100% sure your headers force download and not running on anything on the download area, than it should be okay.

 

If you wish to allow multiple files to be uploaded, you should make 100% sure the loops are solid, as a slight error could mean anything from injection to multi-stream attacks.

 

<?php
  $allowedExtensions = array("txt","csv","htm","html","xml",
    "css","doc","xls","rtf","ppt","pdf","swf","flv","avi",
    "wmv","mov","jpg","jpeg","gif","png");
  foreach ($_FILES as $file) {
    if ($file['tmp_name'] > '') {
      if (!in_array(end(explode(".",
            strtolower($file['name']))),
            $allowedExtensions)) {
       die($file['name'].' is an invalid file type!<br/>'.
        '<a href="javascript:history.go(-1);">'.
        '<&lt Go Back</a>');
      }
    }
  }
?>

mrMarcus Member

mrMarcus

Posted
Posted

Well really as long as you check mimetypes, place the file in a random secure location (watching for collision and make 100% sure your headers force download and not running on anything on the download area, than it should be okay.

 

If you wish to allow multiple files to be uploaded, you should make 100% sure the loops are solid, as a slight error could mean anything from injection to multi-stream attacks.

 

<?php
  $allowedExtensions = array("txt","csv","htm","html","xml",
    "css","doc","xls","rtf","ppt","pdf","swf","flv","avi",
    "wmv","mov","jpg","jpeg","gif","png");
  foreach ($_FILES as $file) {
    if ($file['tmp_name'] > '') {
      if (!in_array(end(explode(".",
            strtolower($file['name']))),
            $allowedExtensions)) {
       die($file['name'].' is an invalid file type!<br/>'.
        '<a href="javascript:history.go(-1);">'.
        '<&lt Go Back</a>');
      }
    }
  }
?>

 

this code does not actually check for MIME type (assuming that was your intention).  the extension of the file does not by any means guarantee the file type.  a file can be uploaded with a .jpg extension, and later renamed back to .exe and executed on the server.

 

try:

 

<?php
$file = '/path/to/file.jpg';

$check = getimagesize ($file);

echo $check['mime']; //will print image/jpeg;
?>

 

change the extension on that same .jpg to .exe for example, and you will still get image/jpeg as your MIME type.

 

there is also a PECL extension you can install called fileinfo.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.