Re: checking file type on upload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






Sebastian wrote:
> i have an upload form which i would only like to allow compressed zip
> files
> and rar files to be uploaded. currently i use
>
> if ($_FILES['userfile']['type'] != 'application/x-zip-compressed')
>
> which only seems to work in IE, doesn't work in mozila (haven't tried
> others) what the best way to detect if its a rar or zip file which works
> in
> a better range of browsers? someone gave me a suggestion to check if the
> file ends in .rar or .zip but that isn't very secure since anyone would be
> able to append it to the filename regardless of the actual file type.

The 'type' in $_FILES is just some made-up bull[bleep] from the browser
manufacturer.

In other words, like everything else made by the browser manufacturers,
it's *NOT* standard, it's *NOT* reliable, and it has absolutely *NO*
usefulness from a security stand-point :-)

What you need to do is store the uploaded file somewhere as inaccessible
as possible, so that only PHP can find/read it.

Then, you need to authenticate that file as much as you possibly can,
using every reasonable means at your fingertips.

For your case, the zip file, this should include:
  Does it look like a zip file to the 'file' command in Linux?
  Can you unzip it without errors?
  Does it pass consistency checks of the zip program?
  Can gunzip, if that supports unzip with a different code-base/algorithm,
also unzip it, and consistency check it.
  Does it have a reasonable size?

If you have an expectation of specific kinds of files within the zip, you
should also walk through each of those files and authenticate them, again,
as much as you can.

Can image files have http://php.net/getimagesize called on them successfully?
Does it pass the Unix 'file' test?
Does the mime-type from getimagesize match the extension?
Can ImageMagik 'convert' the file without error?
ImageMagik may have a consistency check option.  Use it.

For text files, does it pass the Unix 'file' test?
Do the contents have a reasonable distribution of characters in English? :-)
Are the about the right number of newlines for a file of that size?
Is the size reasonable in the first place?

You may not be able to implement all these tests -- But the more you can
implement, and, more importantly, if you set it up to make it easy to ADD
more tests later, the better off you are.

Only files that pass your tests with flying colors then get moved to their
ultimate destination.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux