Page 1 of 1

How to validate file when uploading

Posted: Thu Oct 12, 2006 7:10 am
by amir
Hi

I am looking for some way to validate mp3 files when uploading to the server by the client. I can restrict its size and check mp3 extension, but I am not sure how to check if it is really mp3 file. Can I have some potential uploading attack troubles, if validating only size and extension?

Thank you

Posted: Thu Oct 12, 2006 7:13 am
by feyd
Yes, there are potential attacks available if you only check size and extension.

While there are a few libraries available to check some details about the file (getID3), I don't believe there's any libraries in PHP that will do a full analysis of the frame data.

Posted: Thu Oct 12, 2006 7:23 am
by amir
thanx what a quick reply

Posted: Thu Oct 12, 2006 7:53 am
by impulse()
I know it's a long shot but couldn't you install an MP3 player on the server, and everytime an MP3 is uploaded run a shell command to try and play that MP3? If it fails to play the MP3 it returns false and if it plays, it returns true?
I can imagine it might be tricky to code.

Mind, I think that would only work on *nix servers.

Posted: Thu Oct 12, 2006 4:11 pm
by amir
thanks for your precious ideas

OK, let's put it another way - what is the potential risk of attack and how someone could make a mess? You cannot execute mp3 on the server, you cannot change its extension on the server, so what?

Posted: Fri Oct 13, 2006 12:35 pm
by feyd
Execution of the file is possible depending on your server's settings. Even without browser activated execution, it's still possible to hide malicious code in it then use a security hole in one of your scripts to execute it, or possibly another account on the server. The malicious data may not be intended for your server either. It may be intended to create a buffer overflow in a vulnerable player or browser thus allowing arbitrary code execution. While the chances of those are small, in all probability, anytime you allow a user to store data on your server, you have potential holes for attacks.

Posted: Fri Oct 13, 2006 6:05 pm
by amir
Thanks All.
It helped me a lot.
Its wonderful experience to join this forum.
Thanks once again for your kind assistance.