Jump to content

Understanding is_uploaded_file ( )


Drongo_III

Recommended Posts

Hi guys

 

Sorry i keep asking noob questions today...

 

I'm working on something that has a user facing image upload facility. So i'm slowly working through a class to  make this as secure as possible.

 

One of the tips online is to use  the method "is_uploaded_file ( )".

 

According to php.net - "Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. "

 

I'm not one to just use things without understanding why. So how exactly could someone get a script to work on an internal file via a browse/upload facility?

 

Link to comment
Share on other sites

I'm not one to just use things without understanding why. So how exactly could someone get a script to work on an internal file via a browse/upload facility?

 

Normally when the browsers submit the filename, the include only the base name an no directory components.  A malicious user could however alter the request to include a full path to a file as the filename.  For example changing the header from

Content-disposition: form-data; name="upload"; filename="somefile.jpg"

 

to

 

Content-disposition: form-data; name="upload"; filename="/etc/passwd"

 

 

If your not careful you might end up enabling other means for the user to manipulate the filename as well.

 

Link to comment
Share on other sites

It's an automated step to avoid a client trying to manipulate files they shouldn't.

 

It acts as an extra layer of protection, but isn't very flexible either. More complex uploaders, like ones that upload in chunks, or process the temporary image with another script can't use it.

 

I personally just sanitize the file name, keep uploads in their own temporary folder, and use copy();unlink(); I miss an extra layer of security, but also an extra layer of potential complexity.

 

If unsure, and it works, use it. If you're already isolating the files, and stripping bad characters out of the user-defined file names, you don't really need it.

Link to comment
Share on other sites

As was mentioned above, simple put it's just a check to make sure the file has been uploaded.  It's not entirely accurate if your working with more complex uploading systems.  If your doing standard file uploads it can be useful as an additional check, but it's not really needed.  Your better off putting your time into other checks..to make sure they aren't uploading improper file types, and things like that.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.