freelance84 Posted June 7, 2011 Share Posted June 7, 2011 I have just finished a photo upload section using Ajax and PHP... However i have a few concerns: How do i really know what of type files are being uploaded? At the moment i have a simple js filter which checks the extension of the file before uploading, then another check with php on the server (they simply check the file extension to see if the uploading file is an image). My Concern: Is it possible for a 'hacker' to embed a virus or something similar/worse into an image? And if so, would anyone recommend any virus checking software which will monitor files being uploaded? If you rename the extension from anything to '.jpeg' it passes the basic filter. Should this be a concern? Has anyone ever heard of a file being uploaded disguised as an image when in actual fact it was something else? Is there a more in depth way of validating a file type being uploaded from a user? PS// The site will shortly not be limited to just photos, but also pdf's and possibly adobe Ps/Ai and Gimp Quote Link to comment Share on other sites More sharing options...
dougjohnson Posted June 7, 2011 Share Posted June 7, 2011 The following link is an great article on file upload security: (read the .jpg image header comment injection paragraph) http://www.acunetix.com/websitesecurity/upload-forms-threat.htm Quote Link to comment Share on other sites More sharing options...
freelance84 Posted June 7, 2011 Author Share Posted June 7, 2011 That is one very useful link. Thank you! So to summarize the php validation of a file being uploaded (if the file is an image): //ensuring the correct file extension. 1. Extract the last file .ext from the filename to prevent multiple file extensions (Case 3-4 from the link). 2. Check this is .etx "in_array('jpg","jpeg,"pjpeg","gif","png")" 3. Couple this file extension with my own filing system name eg 16482546.jpg 4. I am now left with a safe file name with a safe single file extension. //check getimagesize 1. run getimagesize and check it does not return false. (however this does not mean there is not php in the image header) //Protecting the upload folder with .htaccess, and protect the htaccess it self 1. prevent any scripts from running in the upload folder. Ensuring the file being uploaded only has one file type and renaming the uploaded file to fit my own filing system means the user can never overwrite the htaccess in this folder. 2. Also, do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory. Again to prevent the .htaccess from being overwritten. So, say for example someone uploaded an image with php in the header. htaccess should prevent the script from running, however would there be any way of setting some sort of alarm: something to notify the admin that the image is dangerous? Or better still, is it possible to alter the image header yourself in the php before upload? Quote Link to comment Share on other sites More sharing options...
xylex Posted June 7, 2011 Share Posted June 7, 2011 Apache just goes by the file extension for what to send to the PHP parser, so as long as you're sure the file has an extension that won't go to PHP, you're covered. But if you're really paranoid, you can always regenerate the image with gd. Adds a bit of load to your server, but this will wipe any image headers/metadata from the image. Also, if you did want everything to be a jpg and you're allowing gif & png's to be uploaded, this would give you a chance to convert them too. Quote Link to comment Share on other sites More sharing options...
freelance84 Posted June 8, 2011 Author Share Posted June 8, 2011 Apache just goes by the file extension for what to send to the PHP parser, so as long as you're sure the file has an extension that won't go to PHP, you're covered. But if you're really paranoid, you can always regenerate the image with gd. Adds a bit of load to your server, but this will wipe any image headers/metadata from the image. Also, if you did want everything to be a jpg and you're allowing gif & png's to be uploaded, this would give you a chance to convert them too. Yea i read a little about Image Processing and GD. It's not to do with the concern of a php script running from the header of an image as this is blocked via htaccess, its more to do with alerting the admin of a certain username which has uploaded a malicious file, thus enabling the admin to communicate to the said user or ban or whatever is most appropriate... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.