File Upload Security And Others

[bunnyali2013]

Hello people! I want to know some security features for file upload in PHP. I did read many stuffs, but not all have answered my questions.

 

To start, I am more on front-end than back-end, so I am not a professional in PHP, but I do know several things in PHP (Procedural). I did create a file upload system before, which was to upload image, including security and validation. Anyway, I am planning to create a similar system again but I want to know more on things which I have applied before. Here are my questions:

 

1/ When validating file formats, which is better, validating by MIME or regular expression? I used regular expression before, because I have read MIME can be changed, even that I am curious. Here is an example of regular expression which accepts only JPG and GIF files: /\.(gif|jpg)$/i

 

2/ Can we upload file like EXE without affecting the server? I do not want the EXE file to execute now on the server, or simply, if it is infected, it can ruin the server. Is there a solution to tackle this or it is not recommended? Because many file hosting let you upload EX, RAR, ZIP, script formats etc...

 

3/ What other security measures should I take into account on file upload? All uploaded files will be in a folder, and the user will get their links to download.

 

4/ This question is not on security but mostly on cron job. Normally, file uploaded will be stored in a folder but not forever on the sever. I want that each 3 days, each file which has been uploaded, is deleted from the folder. I am not saying all files have to be deleted simultaneously, but each file which is more than 3 days. For example, I upload one today, on Sunday it will be deleted. If I upload another one tomorrow, on Monday it will be deleted. For this, a person told me to store the timestamps in a database and the name of the file. How to proceed the deletion with cron job?

 

Thank!

[Christian F.]

To answer your questions:

 

1. Both MIME type and the file extension can be changed. While it's relatively easy to change/spoof the MIME type it's even easier to change the file extension. So you should not rely upon any of those. Check them, yes, and mark it as a failure if they don't match, but don't rely upon them.
   
2. This really depends upon the server, how you've configured it, where you've placed the files, and how the user gets access to them.
   If it's a Linux server, you've removed (or rather avoid setting) the execute permission, placed the files outside of the web root, and that you're running your users to a download script that reads the file. Well.. Then you're pretty secure. At least as no-one gets direct/shell access to the server, but in that case the upload form is irrelevant.
   
3. In addition to the above, you should also check if the actual file's contents is valid for the MIME type and extension. At least in the cases where it's feasible to do so. You can also set up an automated virus-scan service for all new files, before they get added to the "download" folder, just to ensure yourself that extra bit.
   Input validation and output escaping is also, naturally enough, an important part on all user submitted data; Not just the files themselves. As with everything that accepts input from a user.
   
4. Just search for a crontab tutorial on the web, and you'll find a lot of them. Should provide you with all the details you need, and the actual logic behind the deletion should be a cake walk.

[JD*]

Just to add on to Christian, you don't necessarily need to store the timestamp in a database. Since these files are created new on the server, their modify date will be the date they were uploaded. Assuming they don't change once uploaded/virus scanned/moved to download folder, you can just run a script that loops through your directory and checks that date. This can be done multiple ways, too. If you want to make it a little more universal, make a perl/cgi script or a php script and have your cron job execute that.

 

At my last place I would run a nightly php script that would do stuff like this and I would have it email me a report of what was done. It was really easy to maintain and add on to.

[AyKay47]

A note here; Verify files by their extension, as the server uses the extension of a file and not the MIME type to determine what to do with it.