Page 1 of 1

executable file types

Posted: Sat Feb 02, 2008 12:05 pm
by m2babaey
Hi
I want to run a file upload service and plan to restrict uploading executable file types for security.
what are executable file types?
exe , bat , php , phpx , aspx , asp ,
what else do you know?

Re: executable file types

Posted: Sat Feb 02, 2008 3:08 pm
by Doug G
I assume you mean windows executables, here are a few more, .cmd, .vbs, .js, .pl, and I'm sure quite a few more. .pl if you have Perl installed.

Re: executable file types

Posted: Sat Feb 02, 2008 3:49 pm
by Ambush Commander
Instead of checking file extensions, which can be spoofed, you should be using functions like finfo or mime magic to find out what's actually inside the file.

Re: executable file types

Posted: Wed Feb 06, 2008 2:29 am
by vigge89
It's usually safer to specify which file types that are allowed. I'd do what Ambush Commander said, but if you don't want/aren't able to use the finfo/mime type extensions I can always point to my tiny FileFormatIdentifier project :)

Re: executable file types

Posted: Wed Feb 06, 2008 4:16 am
by Kieran Huggins
In addition to checking the extension, rename them to (and store them as) the md5 of their contents, keeping their details in a DB. In windows you can't execute them that way, and in Linux CHMOD them -x. Problem solved on your end!

Since they have no discernible mime type you'll never be able to restrict scripts completely, but you will be able to warn users about certain file extensions.

Re: executable file types

Posted: Sun Feb 10, 2008 9:15 pm
by dayyanb
Don't forget .cgi