Professional Web Applications Themes

Is it possible to test an uploaded file to check the type? - PHP Development

Is it possible to check a file in $_FILES['userfile']['tmp_name'] to make sure it is of a certain format? I want to allow a user to only upload jpegs or mpegs, and want to check what format the file is in. Thanks in advance, Dan Anderson...

  1. #1

    Default Is it possible to test an uploaded file to check the type?

    Is it possible to check a file in $_FILES['userfile']['tmp_name'] to
    make sure it is of a certain format? I want to allow a user to only
    upload jpegs or mpegs, and want to check what format the file is in.

    Thanks in advance,

    Dan Anderson

    Dan Anderson Guest

  2. #2

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    The upload process, already collects info on file types when you upload.
    From the manual ->
    > $_FILES['userfile']['type']
    >
    > The mime type of the file, if the browser provided this
    > information. An example would be "image/gif".
    >
    So, check $_FILES['userfile']['type'] against a set of allowed file
    types, and you're set...

    Marek Kilimajer wrote:
    > If you have compiled php with --enable-mime-magic, you can use
    > mime_content_type()
    >
    > Dan Anderson wrote:
    >
    >> Is it possible to check a file in $_FILES['userfile']['tmp_name'] to
    >> make sure it is of a certain format? I want to allow a user to only
    >> upload jpegs or mpegs, and want to check what format the file is in.
    >>
    >> Thanks in advance,
    >>
    >> Dan Anderson
    >>
    >>
    >
    >
    Gerard Samuel Guest

  3. #3

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    On Sun, 13 Jul 2003 13:32:00 -0400, you wrote:
    >The upload process, already collects info on file types when you upload.
    > From the manual ->
    >
    >> $_FILES['userfile']['type']
    >>
    >> The mime type of the file, if the browser provided this
    >> information. An example would be "image/gif".
    >>
    >So, check $_FILES['userfile']['type'] against a set of allowed file
    >types, and you're set...
    A client-supplied value isn't going to be too useful - it can be spoofed, or
    may not be present. (I believe a Windows browser would set the mime-type
    based purely on the file extension, though I haven't tested this myself).
    >Marek Kilimajer wrote:
    >
    >> If you have compiled php with --enable-mime-magic, you can use
    >> mime_content_type()
    This is the most-benefit least-effort choice if it's available, though I
    believe that flag has been changed since 4.32[?]

    David Otton Guest

  4. #4

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    David Otton wrote:
    >>>$_FILES['userfile']['type']
    >>>
    >>> The mime type of the file, if the browser provided this
    >>> information. An example would be "image/gif".
    >>>
    >>>
    >>>
    >>So, check $_FILES['userfile']['type'] against a set of allowed file
    >>types, and you're set...
    >>
    >>
    >
    >A client-supplied value isn't going to be too useful - it can be spoofed, or
    >may not be present. (I believe a Windows browser would set the mime-type
    >based purely on the file extension, though I haven't tested this myself).
    >
    Then my apologies. I thought php determined the file type on upload,
    and not rely on user input as your're saying.
    Makes me rethink some of my own code :)

    Gerard Samuel Guest

  5. #5

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    Gerard Samuel wrote:
    >> A client-supplied value isn't going to be too useful - it can be
    >> spoofed, or
    >> may not be present. (I believe a Windows browser would set the mime-type
    >> based purely on the file extension, though I haven't tested this
    >> myself).
    >>
    >
    > Then my apologies. I thought php determined the file type on upload,
    > and not rely on user input as your're saying.
    > Makes me rethink some of my own code :)
    Looking for opinions. Can a spoofed uploaded file hurt a script or a
    webserver??
    Reason why Im asking is because, I looked over the magic.mime file on my
    server, and I see that it
    doesn't support flash files (I may be wrong), of which I currently allow
    flash files to be uploaded.
    So who knows what else it may not support.
    I guess, can it really be bad for your script, your server, and/or your
    health??

    Gerard Samuel Guest

  6. #6

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    On Mon, 14 Jul 2003 00:24:03 -0400, you wrote:
    >Looking for opinions. Can a spoofed uploaded file hurt a script or a
    >webserver??
    >Reason why Im asking is because, I looked over the magic.mime file on my
    >server, and I see that it
    >doesn't support flash files (I may be wrong), of which I currently allow
    >flash files to be uploaded.
    >So who knows what else it may not support.
    >I guess, can it really be bad for your script, your server, and/or your
    >health??
    The following is just uninformed opinion, as I haven't sat down and tested
    any of this, or even thought about it to any great degree. I'd welcome
    anyone telling me where I'm wrong.

    I wouldn't want user-created data to end up under the webroot. I'd always be
    worrying about, say, someone uploading a file that used SSI to sneak the
    database password file out of the server, or something. And even if I
    plugged that hole, there might be another, and another... rather than plug
    individual holes, I'd want to avoid that entire class of problems.

    The best approach, IMO, is to keep such uploaded files outside the webroot,
    and call them via a PHP script. Something like

    /show_resource.php?resourceid=1535

    with the resource directory either waaaay over there, or (my preference)
    replaced by a database table. The show-resource.php script just has to set
    the correct mime type header and stream out the contents of the file.

    David Otton Guest

  7. #7

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    > So, check $_FILES['userfile']['type'] against a set of allowed file
    > types, and you're set...
    What about this:

    array getimagesize ( string filename [, array imageinfo])


    Nadim Attari Guest

  8. Moderated Post

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    Removed by Administrator
    Gerard Samuel Guest
    Moderated Post

  9. #9

    Default Re: [PHP] Is it possible to test an uploaded file to check the type?

    > Is it possible to check a file in $_FILES['userfile']['tmp_name'] to
    > make sure it is of a certain format? I want to allow a user to only
    > upload jpegs or mpegs, and want to check what format the file is in.
    If there are only a few types, and you know what those types should look
    like, it shouldn't be too hard. Maybe.

    For instance, you could try having ypur application open the putative
    jpeg with the GIMP, and if the GIMP fails to open it or bombs, then your
    application rejects the upload. ;-P

    (If you actually did use the GIMP for this, however, you don't want to
    call the GIMP directly from PHP/Apache. Not only would it bog your web
    app down, but it would potentially open your site up to secure attacks
    against a piece of software that is not known to be secure. What you'd
    want is something like a cron job to look at the upload directory for
    new uploads and pass them to a script that would call the GIMP to do the
    check. That way, if the GIMP dies, there is no open shell connected to
    an IP port. The cron job would also want to call something to clean up
    any dead processes left around.)

    I think there are dedicated jpeg validation libraries floating around.
    Not sure about MPEG. If it's a simple format, you may be able to write
    your own pr (regex?) for it, in which case, maybe you only need to
    check the first 100 or 1000 or so bytes.

    Checking to make sure a file was _not_ an MS-DOS executable used to be
    fairly easy.

    Anyway, whether you p or let the user tell you (MISE) depends on how
    careful you need to be (i. e., what your application is going to do with
    the upload).

    --
    Joel Rees, programmer, Kansai Systems Group
    Altech Corporation (Alpsgiken), Osaka, Japan
    [url]http://www.alpsgiken.co.jp[/url]

    Joel Rees Guest

  10. #10

    Default Securing File Uploads Was: Is it possible to test an uploaded fileto check the type?

    Sorry for bring this back to life, but Im looking for some more opinions.
    A friend and I are somewhat dead locked, as to whether with available
    tools via php, that its possible to *reliably* secure file uploads.
    File uploads currently encompass, images, mp3, real audio files,
    with plans for ogg vorbis, flash, and what ever audio/visual/doent
    file formats, I can make php read its metadata.
    These files will be used in a gallery type environment, to be displayed,
    downloaded, or streamed.
    The end product will be used by people who most likely will have their
    sites hosted, thus no real control over the server, and can be run on
    *nix/Windows environments.

    Browsers that I've tested with: IE 6, Mozilla 1.4(Windows/FreeBSD),
    Opera 6(FreeBSD)

    Spoofed file in question: Renamed putty.exe to putty.mp3
    Side Note: Image uploading can be more or less be considered secure
    because Im running it throught getimagesize() which will report false on
    non image files.

    Currently, the upload process, checks the browser reported mime type
    against a predefined set of mime types. The file extention is checked
    against a set of predefined file extentions. Then the file is moved to
    its final destination, and is read for its sequence of magic bytes for
    its metadata (which depends on the file's extention, so it knows what to
    look for).
    Files are stored in a predefined directory under the webroot.

    With IE6, the upload fails because it correctly reported putty.mp3's
    mime type as not being an mp3 file.
    With the other browsers in question, they solely report the mime types
    according to the file's extention, so the file is successfully uploaded.

    Now remember, that the target audience for the script will most likely
    be on a shared host, thus no control over the server.
    Is there anything else I can do using php, that can help in making the
    process more secure???

    mime_content_type() isn't an option, as it doesn't report all mime types.
    Reversing the order of reading the file's, magic bytes, and storing it,
    doesn't really improve matters, as it depends on a file's extention.

    Thanks for any tips/pointers you can provide, and sorry for the long post...


    Dan Anderson wrote:
    >There are some very good reasons to check a file's mime type. For one
    >thing, if you send a user an executable when you meant to send them a
    >jpg, and that executable unleashes a virus, that is no good. Not only
    >will noone visit your site if they know you are a source of viruses, you
    >may get sued for damages. (Computers are expensive!)
    Gerard Samuel Guest

  11. #11

    Default Re: [PHP] Securing File Uploads Was: Is it possible to test an uploaded file to check the type?

    On Saturday 19 July 2003 04:49, Gerard Samuel wrote:
    > Sorry for bring this back to life, but Im looking for some more opinions.
    > A friend and I are somewhat dead locked, as to whether with available
    > tools via php, that its possible to *reliably* secure file uploads.
    > File uploads currently encompass, images, mp3, real audio files,
    > with plans for ogg vorbis, flash, and what ever audio/visual/doent
    > file formats, I can make php read its metadata.
    > These files will be used in a gallery type environment, to be displayed,
    > downloaded, or streamed.
    > The end product will be used by people who most likely will have their
    > sites hosted, thus no real control over the server, and can be run on
    > *nix/Windows environments.
    In a response to your previous posts on this matter, I suggested that you
    search freshmeat/sourceforge for a PHP-based media file metadata extractor
    (yes one does exist). I'm putting forward the same suggestion again.

    --
    Jason Wong -> Gremlins Associates -> [url]www.gremlins.biz[/url]
    Open Source Software Systems Integrators
    * Web Design & Hosting * Internet & Intranet Applications Development *
    ------------------------------------------
    Search the list archives before you post
    [url]http://marc.theaimsgroup.com/?l=php-general[/url]
    ------------------------------------------
    /*
    The story you are about to hear is true. Only the names have been
    changed to protect the innocent.
    */

    Jason Wong Guest

  12. #12

    Default Re: [PHP] Securing File Uploads Was: Is it possible to test an uploaded file to check the type?

    Gerard Samuel <gsamtrini0.org> wrote:
    > Jason Wong wrote:
    >
    > >In a response to your previous posts on this matter, I suggested that you
    > >search freshmeat/sourceforge for a PHP-based media file metadata extractor
    > >(yes one does exist). I'm putting forward the same suggestion again.
    > >
    > >
    > Ok, Ill look, but not sure what good it will do me, as Im already
    > reading a file's metadata (using my own code).
    > Im basing my assumption, on that binary data may share so called "magic"
    > bytes.
    > Like an mpeg header (11111111111) may/or may not appear in other file
    > formats. (Purely an assumption as of this moment)
    > But thanks for reminding me on the other code...
    I hope your not using that 11111111111, that isn't correct for an mpeg
    file.

    I would also point out that even if the magic was unique and you could
    tell that the file was the type it is suppose to be, the person can
    still put invalid data inside there. Like wrap a jpeg header and eof
    marker in there but have an executible within it.

    Some file formats have crc's built in, like mp3. You could also run a
    crc check on the files if its available. I believe avi's do to, but i'm
    sure since this isn't reliable it isn't going to be a reasonable
    solution.

    Another thing to do to garuantee the file would be to decode the format
    and then reencode it ie(mpeg, mp3, jpeg, gif, etc). then again this seems
    like overkill and plus with lossy formats like mp3 and jpeg you'll lose
    quality.

    I'm not sure if this is a big issue for you, I just thought I'd point
    that out.

    any way, thats just a few comments i had on that

    Curt.
    --


    Curt Zirzow Guest

Similar Threads

  1. MIME type of uploaded files
    By chonny in forum Macromedia Flex General Discussion
    Replies: 0
    Last Post: May 23rd, 10:41 AM
  2. Linked file uploaded - link still points to local file
    By jgorres in forum Macromedia Contribute General Discussion
    Replies: 0
    Last Post: March 22nd, 10:05 AM
  3. Replies: 3
    Last Post: October 18th, 06:56 AM
  4. Replies: 2
    Last Post: October 16th, 08:29 AM
  5. Replies: 0
    Last Post: July 12th, 05:38 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139