Page 1 of 1
['type'] to limit upload types
Posted: Sun Aug 10, 2008 4:27 pm
by mart3ndo
Hi,
I have a basic upload script:
Code: Select all
// Turn the image that is being uploaded into a varible.
$imagename = $_FILES['image']['name'];
// Copies the image from your web servers temporary file to your web server
copy($_FILES['image']['tmp_name'], "./images/".time()."$imagename");
I have been told to use the ['type'] function in this script to limit what can be uploaded (png,jpg,jpeg,gif), but am unsure how to implement this.
Thanks,
Martyn
Re: ['type'] to limit upload types
Posted: Sun Aug 10, 2008 11:43 pm
by califdon
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 3:29 am
by The_Anomaly
This links explains it perfectly--but
here is a list of all of the MIME types, like the "image/gif" on that guide. Handy to have, so you're not searching all over the place for them.
Of course, if you're accepting multiple types, you can use the "||" operator in the conditional statement. Like this:
Code: Select all
if($_FILES['video']['type'] == "video/x-ms-wmv" || $_FILES['video']['type'] == "video/mpeg" || $_FILES['video']['type'] == "video/avi"){
echo "Congratulations! It's a video!"
}else{
echo "Go diaf, you cracker."
}
Although, you might not want to add that else statement
EDIT:
Check these links out too, to see why the code in your OP is insecure:
http://www.php.net/moveuploadedfile
http://www.php.net/isuploadedfile
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 3:37 am
by onion2k
Don't trust ['type']. It's information that comes from the client, and could consequently be anything. I can upload an executable malware app and make PHP think the type is image/gif or image/jpg or animal/elephant if I want to. Check that the file is the right type when it's been uploaded. Fortunately as you're looking for images it's easy - use getimagesize().
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 3:42 am
by The_Anomaly
onion2k wrote:Don't trust ['type']. It's information that comes from the client, and could consequently be anything. I can upload an executable malware app and make PHP think the type is image/gif or image/jpg or animal/elephant if I want to. Check that the file is the right type when it's been uploaded. Fortunately as you're looking for images it's easy - use getimagesize().
Not to sidetrack the thread--but how would this be done in a video context? If you can't trust [type], what can you trust, when you can't use an image function?
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 3:49 am
by filippo.toso
You can use the extension of the file as check.
If the user tries to upload a .php file and sends it with an image/jpg mime type, it will be correctly uploaded and the attacker can exploit this behavior (i.e. to install malwares, fishing sites, and so on).
If you check the extension, even if the file is a PHP script with .jpg extension, there's no way it will be executed by the web server and cause security issues (if the server is correctly configured).
A even better solution is to upload the files into a folder protected through an .htaccess that disables any kind of scripting support.
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 4:06 am
by The_Anomaly
filippo.toso wrote:You can use the extension of the file as check.
If the user tries to upload a .php file and sends it with an image/jpg mime type, it will be correctly uploaded and the attacker can exploit this behavior (i.e. to install malwares, fishing sites, and so on).
If you check the extension, even if the file is a PHP script with .jpg extension, there's no way it will be executed by the web server and cause security issues (if the server is correctly configured).
A even better solution is to upload the files into a folder protected through an .htaccess that disables any kind of scripting support.
So, a string manipulation function such as strrchr would be better? i.e.:
Code: Select all
$file_ext = strrchr($_FILES['video']['name'], '.');
if($file_ext == "jpg"){
echo "It's a jpg."
}else{
echo "It's not a jpg."
}
I always assumed that the file name (including after the dot, or the extension), could be manipulated easier than anything. So, I thought the MIME would be better---but it appears that's even easier manipulated. Is the above code a relatively secure way of doing it though?
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 4:14 am
by filippo.toso
File names can be manipulated as well as mime types, but the web server usually use the file extension to decide what to do with a file (ie. execute through Perl/PHP, send to the client, parse using SSI, and so on).
The comparison should be with .jpg, not only jpg
Maybe you can use an array with accepted extensions and in_array().
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 4:17 am
by The_Anomaly
filippo.toso wrote:File names can be manipulated as well as mime types, but the web server usually use the file extension to decide what to do with a file (ie. execute through Perl/PHP, send to the client, parse using SSI, and so on).
The comparison should be with .jpg, not only jpg
Maybe you can use an array with accepted extensions and in_array().
Okay, thanks for this information. I'll stop hijacking this thread and make a new one if I have anymore questions about this.
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 4:40 am
by onion2k
filippo.toso wrote:You can use the extension of the file as check.
If the user tries to upload a .php file and sends it with an image/jpg mime type, it will be correctly uploaded and the attacker can exploit this behavior (i.e. to install malwares, fishing sites, and so on).
If you check the extension, even if the file is a PHP script with .jpg extension, there's no way it will be executed by the web server and cause security issues (if the server is correctly configured).
A even better solution is to upload the files into a folder protected through an .htaccess that disables any kind of scripting support.
People don't upload files to server's just so they can try to execute them through a browser. Taking your example...
I rename output_all_passwords.php to output_all_passwords.jpg. Your script happily accepts it and stores it on the server somewhere.
I now execute a second attack on your website to make an insecure PHP script include it .. say you're doing something very silly like "include $_GET['page'];" ... I request it with insecure_script.php?page=uploads/output_all_passwords.jpg ... ta da, I have all your passwords!
Check the file is what you want it to be. Never, ever rely on anything from the user being what it should be.
@anomaly - To check video files are what they should be either write something to examine the file header or install ffmpeg and use that.
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 4:49 am
by filippo.toso
If "you're doing something very silly" ...
If allow_url_include is enabled I don't even need to make the upload.
If the web server is configured to parse .jpg images with the Zend engine, I don't even need to find an include security issue.
And so on ...
Re: ['type'] to limit upload types
Posted: Mon Aug 11, 2008 4:57 am
by onion2k
Yeah, well obviously it depends on the rest of the site and the server set up, but regardless of that trusting the file extension is just giving an attacker another vector, so it's a bad idea. If you need the user to upload an image you should be making sure the file is an image before you save it.