Re: File Upload Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I don't pay any attention to MIME sent by the client.

I check the MIME returned from getimagesize() and I'm not too certain of it. i need to do further research.

I do check the images have width and height and I extract the embedded text stuff.

I'm going to look into your suggestion. Thanks.

Peter Ford wrote:
Al wrote:
Thanks guys.

I had written a newer version restricted to images which checks MIME and image width and height.

I have one application which needs a text file. I think I'll have my users hide a password in it and scan the whole file for <? an <?php and other signs of scripts, etc.

Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with "nobody" ownership, so it's obvious stuff is not via ftp [ownership would be foo]

Site is virtual host, Linux/Apache

I'm concerned about a file uploader my users use to upload photos.

Can anyone see a hole in this scrip? Can my code upload an executable masquerading as an image file?

You probably need a deeper inspection than checking the extension - that's Microsoft thinking... You can't trust what the client is telling you - even the MIME type sent by the browser is no guarantee. Since you're on Linux, why not look at using the 'file' shell command to get a more detailed inspection of the upload. I made a basic function like this a few years ago - probably needs a bit of tweaking:

<?php
    function getMimeType($file)
    {
    global $magicFile;
$mimecmd = "/usr/bin/file -b -m ".escapeshellargs($magicFile)." ".escapeshellargs($file)." 2> /dev/null";
        $ret = exec($mimecmd);
        if (!$ret)
        {
            $ret = "unknown";
        }
        return $ret;
    }
?>

The global $magicFile is the tricky bit - you need to find a nice Unix magic numbers file that returns mime types (they're easier to parse than regular magic number responses). Probably something like /usr/share/misc/magic.mime, but that depends on the system.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux