filesize info in header

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
estarapapax
Forum Newbie
Posts: 7
Joined: Fri Feb 20, 2009 12:03 am

filesize info in header

Post by estarapapax »

I'm building a website which allows users to put the URL of their text files in a querry parameter. Ex:
process.php?loc=http://domain.com/user/filename.txt

My PHP scripts always load the contents of these textfiles and that's why I need to check the filesize of these files, to prevent my site from crashing. But now, I got a bigger question. What if a hacker is able to change the filesize header info but in actuality the file is still extra large? Will Apache (I am using Apache) stop downloading the bits in excess of the declared filesize in the header or it will load the entire large file regardless of the the filesize header info?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: filesize info in header

Post by kaisellgren »

How are you exactly doing this limitation?

My guess is that the file is downloaded to a temporary location, checked for its size and then either deleted permanently or moved into the final destination.

Are you using default PHP upload capabilities?
User avatar
jazz090
Forum Contributor
Posts: 176
Joined: Sun Apr 12, 2009 3:29 pm
Location: England

Re: filesize info in header

Post by jazz090 »

why are you making this comlicated? just read the file with get_file_contents() and equal it to a var
use strlen() to get its length instead of the filesize(), this way filesize and contents are always in the same level.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: filesize info in header

Post by kaisellgren »

Code: Select all

filesize($a) == strlen(file_get_contents($a,FILE_BINARY))
Post Reply