Thanks guys.
I had written a newer version restricted to images which checks MIME and image width and height.
I have one application which needs a text file. I think I'll have my users hide a password in it
and scan the whole file for <? an <?php and other signs of scripts, etc.
Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The
hack code creates dirs with "nobody" ownership, so it's obvious stuff is
not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
Can anyone see a hole in this scrip? Can my code upload an executable
masquerading as an image file?
$filetype = array("gif", "jpg", "jpeg", "png", "txt", css")
function csvt_file_upload($filetype, $max_size)
{
$prohibits = array("exe", "php", "inc", "php3", "pl", "bat", "cgi");
//common executables.
$absolute_max_size = 2000000;
end($_FILES); //get the "name" used by the html <input.....
$name = key($_FILES); //could use the register variables, but this
is safer.
if(isset($_FILES[$name]['name'])) $input_name = $_FILES[$name]['name'];
$error = "no"; //reset for error checks
if (!isset($filetype)) {
echo "<p style=\"color:red\"> File type assignment missing
</p> ";
$error = "yes";
};
if (!isset($max_size)) {
echo "<p style=\"color:red\"> Max file size assignment
missing.</p>";
$error = "yes";
};
$filename = $_FILES[$name]['name'];
$tmp_name = $_FILES[$name]['tmp_name'];
$size = $_FILES[$name]['size'];
$absolute_path_file = getcwd(). DATA_DIR . $filename;
if (($size >= $max_size) OR ($size > $absolute_max_size)) {
echo "<p style=\"color:red\"> File size is too large.</p> ";
$error = "yes";
}
$ext = substr(strrchr($filename, "."), 1); //get the extension,
remove the "."
if (in_array($ext, $prohibits)) {
echo "<p style=\"color:red\">Illegal file type,
executable.</p>\r\n";
$error = "yes";
}
if (is_executable($filename)) {
echo "<p style=\"color:red\">Illegal file type, executable
file.</p>\r\n";
$error = "yes";
} //This is a double check in case $prohibits is incomplete.
if (is_array($filetype) AND !in_array($ext, $filetype)) {
echo "<p style=\"color:red\">Illegal file type.</p>\r\n";
$error = "yes";
}
if(!is_array($filetype) AND ($filetype != $ext)){
echo "<p style=\"color:red\">Illegal file type.</p>\r\n";
$error = "yes";
}
if ($error == "yes") {
echo "<p style=\"color:red\">There was an error(s) with your
file selection \"$input_name\" as the note(s) indicates. Please
reselect, or remove your file selection and email for help. </p>\r\n";
}
else {
if(!move_uploaded_file($tmp_name, $absolute_path_file))
die("<p style=\"color:red\">There was an error saving your file.
Check permissions of " . DATA_DIR . " Must be 777 </p>\r\n");
chmod($absolute_path_file, 0644);
}
return;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
