Is this upload script secure?

[gatzkerob]

<?php
    // Maximum file size for upload
    $maxFileSize = 5242880;
    
    // If file is too large
    if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize)
        echo "File too large";
    else
    {
        if(isset($_POST['submit']))
        {
            // List of acceptable file types
            $whitelist = array(
                "application/vnd.openxmlformats-officedocument.wordprocessingml.document",    // .docx
                "application/msword",                                                        // .doc, .rtf
                "text/plain",
                "image/jpeg",
                "image/gif",
                "image/png",
                "application/pdf",
                "application/octet-stream",                                                    // .rar
                "application/x-zip"                                                            // .zip
            );
            
            // Is uploaded file type in whitelist array
            if(!in_array($_FILES['file_upload']['type'], $whitelist))
                exit("Bad Filetype");
            
            // Don't allow php files
            if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name']))
                exit("We do not allow uploading PHP files\n");
            
            // Move the file
            $uploaddir = '../uploads/';
            $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']);
            
            if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile))
                exit("File is valid, and was successfully uploaded.\n");
            else
                exit("File uploading failed.\n");
        }
    }
?>
<html>
    <head>
        <title>Upload Test</title>
    </head>
    <body>
        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST">
            <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" />
            <input type="file" name="file_upload" />
            <input type="submit" name="submit" value="upload" />
            <br />
            <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?>
        </form>
    </body>
</html>

[fugix]

the one thing that i notice is your use of php_self as you form action....this should normally be avoided..here is why

[gatzkerob]

the one thing that i notice is your use of $_php_self as you form action....this should normally be avoided..here is why

 

I didn't know that. I'll probably be removing it anyway as I plan on using this form with AJAX later on.

[mikesta707]

You may want to use a more graceful technique for stopping your script rather than exiting mid execution. Also, MIME types are browser dependent I believe, meaning that not all browsers send the same MIME type for the same file type (although this may have changed with new versions of browsers. Its been a while since i've made an upload script). Also MIME types can be spoofed. You may want to also check the extension as well as the MIME type

[gatzkerob]

You may want to use a more graceful technique for stopping your script rather than exiting mid execution. Also, MIME types are browser dependent I believe, meaning that not all browsers send the same MIME type for the same file type (although this may have changed with new versions of browsers. Its been a while since i've made an upload script). Also MIME types can be spoofed. You may want to also check the extension as well as the MIME type

 

Yea, I was unsure about exit(), I'll just nest everything in if() statements instead. Should I replace the MIME types with a file extension whitelist instead? I know file extensions can also be faked. Is MIME type really that important?

 

Thanks for the feedback.

[mikesta707]

Well checking MIME types and file extensions isn't a mutually exclusive process. You could easily check both.