Uploading a text file - security

Anon

Recently it occurred to me that someone might try uploading a text file (html or whatever) that had a php delimiter it in so I want to reject any such text files. (We allow html file uploading) Checking for <? and ?> is easy but I also wanted to check for <script language=php> and all the possible permutations of that tag. (It's paranoid but so am I)

Here's my attempt at pattern matching for that string. If any one has any suggestions please let me know.

Otherwise, I hope this helps someone who might need a snippet like this.

I use pcre not ereg because I find it's more flexible and has more features to use.

preg_match("/(<)\s(script)\s+(language)\s(=)\s(\"?|\'?)\s(php)\s(\"?|\'?)\s(>)/i", $txt)

matt.

Anon

Ehe? Ummm I don't know how you have your server set up, but on mine and everyone else I've seen the server decided that a script should be executate or not by it's extension, so just check that the file isn't one of the common php extensions when it's being uploaded, and either reject or change it if it is.

Or am I missing some sorta weird Linux setup that doesn't depend on the php file extension?

Anon

I have had at least one situation where, although the file was uploaded as an html file (this was to obtain content from the user, but not executable content), it would at some point, for various reasons, be executed as php, (after changing the extension of course). Of course, I am aware that most of the time the server decides what is executable.

That is why I wanted to find a way to find all php delimiters within some text.

Thanks for asking.

Anon

Weird... hmmm I'd love to see the script that did that little funky manouver.

Sure it wasn't uploaded as a .phtml file? Thats a valid php extension...

FYI-I'm just curious, if there are any risks to my secure systems I'd love to know all I can about it.

Anon

one thing you might wish to bear in mind; the proper combination of escapes can result in code getting through most filesystems. it depends on the system, of course: it's the same reason you get occasional bits of markup in these messages. it can become a problem with smurfing, for example. you could be well advised to strip backslashes from the code first, and then check for script tags.

--
rad