Re: Virus scanning
Posted: Sat Mar 28, 2009 4:00 am
My main question is: if you don't want to rely on having a virus scanner check every uploaded file, what else do you have to do to make uploading of files and/or images by users secure. Maybe it's best to just focus on images alone.
So if you look at the article
http://blog.insicdesigns.com/2009/01/se ... lications/
there are a few measures discussed, one by one not enough.
Checking of mime typeAs an attacker can set the mine-type in the request, this check will not be enough.
Image file content verification
Again, this is not enough as a valid image can also contain some other text content, which can be misused
File name extension verification
Again, not enough as depending on the configuration of the server, of which many people have little control over, the server can allow other extensions then php be run through the php parser. Of course you can say that is a problem of the server which should be solved. However, let's just assume that we can't do anything about that.
Now you talked about an alternative way of allowing (and securing) uploads and that is by uploading them to a different domain. I am still not quite sure what exactly that should prevent and how. And, what one should do if you do not have access to multiple domains.
[edit:]
Maybe it's best for the discussion to talk about two different things:
1) first, in which ways uploaded images (and files) can be misused. executing a malicious php command is something different from doing something with a browser flash plugin.
2) second, how to prevent these problems.
So if you look at the article
http://blog.insicdesigns.com/2009/01/se ... lications/
there are a few measures discussed, one by one not enough.
Checking of mime type
Code: Select all
if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}Image file content verification
Code: Select all
$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}File name extension verification
Code: Select all
$blacklist = array(".php", ".phtml", ".php3", ".php4");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}Now you talked about an alternative way of allowing (and securing) uploads and that is by uploading them to a different domain. I am still not quite sure what exactly that should prevent and how. And, what one should do if you do not have access to multiple domains.
[edit:]
Maybe it's best for the discussion to talk about two different things:
1) first, in which ways uploaded images (and files) can be misused. executing a malicious php command is something different from doing something with a browser flash plugin.
2) second, how to prevent these problems.