['type'] to limit upload types

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mart3ndo
Forum Newbie
Posts: 1
Joined: Sun Aug 10, 2008 4:18 pm

['type'] to limit upload types

Post by mart3ndo »

Hi,

I have a basic upload script:

Code: Select all

// Turn the image that is being uploaded into a varible.
$imagename = $_FILES['image']['name'];
 
// Copies the image from your web servers temporary file to your web server
copy($_FILES['image']['tmp_name'], "./images/".time()."$imagename");
I have been told to use the ['type'] function in this script to limit what can be uploaded (png,jpg,jpeg,gif), but am unsure how to implement this.

Thanks,

Martyn
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: ['type'] to limit upload types

Post by califdon »

User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: ['type'] to limit upload types

Post by The_Anomaly »

This links explains it perfectly--but here is a list of all of the MIME types, like the "image/gif" on that guide. Handy to have, so you're not searching all over the place for them.

Of course, if you're accepting multiple types, you can use the "||" operator in the conditional statement. Like this:

Code: Select all

if($_FILES['video']['type'] == "video/x-ms-wmv" || $_FILES['video']['type'] == "video/mpeg" || $_FILES['video']['type'] == "video/avi"){
echo "Congratulations! It's a video!"
}else{
echo "Go diaf, you cracker."
}
Although, you might not want to add that else statement :)

EDIT:
Check these links out too, to see why the code in your OP is insecure:
http://www.php.net/moveuploadedfile
http://www.php.net/isuploadedfile
Last edited by The_Anomaly on Mon Aug 11, 2008 3:38 am, edited 1 time in total.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: ['type'] to limit upload types

Post by onion2k »

Don't trust ['type']. It's information that comes from the client, and could consequently be anything. I can upload an executable malware app and make PHP think the type is image/gif or image/jpg or animal/elephant if I want to. Check that the file is the right type when it's been uploaded. Fortunately as you're looking for images it's easy - use getimagesize().
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: ['type'] to limit upload types

Post by The_Anomaly »

onion2k wrote:Don't trust ['type']. It's information that comes from the client, and could consequently be anything. I can upload an executable malware app and make PHP think the type is image/gif or image/jpg or animal/elephant if I want to. Check that the file is the right type when it's been uploaded. Fortunately as you're looking for images it's easy - use getimagesize().
Not to sidetrack the thread--but how would this be done in a video context? If you can't trust [type], what can you trust, when you can't use an image function?
filippo.toso
Forum Commoner
Posts: 30
Joined: Thu Aug 07, 2008 7:18 am
Location: Italy
Contact:

Re: ['type'] to limit upload types

Post by filippo.toso »

You can use the extension of the file as check.

If the user tries to upload a .php file and sends it with an image/jpg mime type, it will be correctly uploaded and the attacker can exploit this behavior (i.e. to install malwares, fishing sites, and so on).

If you check the extension, even if the file is a PHP script with .jpg extension, there's no way it will be executed by the web server and cause security issues (if the server is correctly configured).

A even better solution is to upload the files into a folder protected through an .htaccess that disables any kind of scripting support.
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: ['type'] to limit upload types

Post by The_Anomaly »

filippo.toso wrote:You can use the extension of the file as check.

If the user tries to upload a .php file and sends it with an image/jpg mime type, it will be correctly uploaded and the attacker can exploit this behavior (i.e. to install malwares, fishing sites, and so on).

If you check the extension, even if the file is a PHP script with .jpg extension, there's no way it will be executed by the web server and cause security issues (if the server is correctly configured).

A even better solution is to upload the files into a folder protected through an .htaccess that disables any kind of scripting support.
So, a string manipulation function such as strrchr would be better? i.e.:

Code: Select all

$file_ext = strrchr($_FILES['video']['name'], '.');
if($file_ext == "jpg"){
echo "It's a jpg."
}else{
echo "It's not a jpg."
}
I always assumed that the file name (including after the dot, or the extension), could be manipulated easier than anything. So, I thought the MIME would be better---but it appears that's even easier manipulated. Is the above code a relatively secure way of doing it though?
filippo.toso
Forum Commoner
Posts: 30
Joined: Thu Aug 07, 2008 7:18 am
Location: Italy
Contact:

Re: ['type'] to limit upload types

Post by filippo.toso »

File names can be manipulated as well as mime types, but the web server usually use the file extension to decide what to do with a file (ie. execute through Perl/PHP, send to the client, parse using SSI, and so on).

The comparison should be with .jpg, not only jpg

Maybe you can use an array with accepted extensions and in_array().
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: ['type'] to limit upload types

Post by The_Anomaly »

filippo.toso wrote:File names can be manipulated as well as mime types, but the web server usually use the file extension to decide what to do with a file (ie. execute through Perl/PHP, send to the client, parse using SSI, and so on).

The comparison should be with .jpg, not only jpg

Maybe you can use an array with accepted extensions and in_array().
Okay, thanks for this information. I'll stop hijacking this thread and make a new one if I have anymore questions about this.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: ['type'] to limit upload types

Post by onion2k »

filippo.toso wrote:You can use the extension of the file as check.

If the user tries to upload a .php file and sends it with an image/jpg mime type, it will be correctly uploaded and the attacker can exploit this behavior (i.e. to install malwares, fishing sites, and so on).

If you check the extension, even if the file is a PHP script with .jpg extension, there's no way it will be executed by the web server and cause security issues (if the server is correctly configured).

A even better solution is to upload the files into a folder protected through an .htaccess that disables any kind of scripting support.
People don't upload files to server's just so they can try to execute them through a browser. Taking your example...

I rename output_all_passwords.php to output_all_passwords.jpg. Your script happily accepts it and stores it on the server somewhere.

I now execute a second attack on your website to make an insecure PHP script include it .. say you're doing something very silly like "include $_GET['page'];" ... I request it with insecure_script.php?page=uploads/output_all_passwords.jpg ... ta da, I have all your passwords!

Check the file is what you want it to be. Never, ever rely on anything from the user being what it should be.

@anomaly - To check video files are what they should be either write something to examine the file header or install ffmpeg and use that.
filippo.toso
Forum Commoner
Posts: 30
Joined: Thu Aug 07, 2008 7:18 am
Location: Italy
Contact:

Re: ['type'] to limit upload types

Post by filippo.toso »

If "you're doing something very silly" ...

If allow_url_include is enabled I don't even need to make the upload.

If the web server is configured to parse .jpg images with the Zend engine, I don't even need to find an include security issue.

And so on ...
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: ['type'] to limit upload types

Post by onion2k »

Yeah, well obviously it depends on the rest of the site and the server set up, but regardless of that trusting the file extension is just giving an attacker another vector, so it's a bad idea. If you need the user to upload an image you should be making sure the file is an image before you save it.
Post Reply