Ensuring that files that have been uploaded cannot be executed...

jetta_gt

I have built a little user based content management system that is working well and is teaching me a lot about PHP/mySQL. I've got file uploads working, and it's cool cuz authenticated users can upload files and they will be listed so others can download them, etc. Not a new concept at all of course, but I got it working by myself, so that's cool...

Here is my question: How do I make sure that no one (yes, they will be authenticated users, but i still don't trust them) uploads a file like printyourpassword.php and then just enters: mysite.com/cms/files/printyourpassword.php to execute, I want to make sure that this doesn't happen with ASP or CGI files either, or with ANY kind of files that would compromise the security of the site or my server.

Right now, I use a lame method of not allowing any files with with titles that contain ".php", ".cgi", etc... to even be uploaded, but this CAN'T be the most secure way of dealing with this problem can it!?!??!

Thanks.

jpmoriarty

i'm not sure how else you can do it - if you allow them to upload anything, then provided your server doesnt parse the file you should be fine. If the way to stop that is to not allow them to upload files that your server will be tricked into parsing, then you shouldnt allow files that end in php and cgi. You might also want to check that things like .ph3 and .phtml (or whatever some of the other extensions that are possible) arent allowed also, or even do it so that if they are, then it adds a .txt to the end of them so that people can still download the files, just the server wont execute them.

jetta_gt

Hmmmm, well I guess if it's the only way to do it, I will try to be thorough and do a good job of making sure that possible security threats get removed, the only thing is, i'm just worried about missing some archaic extension that just might work on a server that i install this little content management system on... Like, .pphpp or something weird... You know what I mean? I guess a good look at httpd.conf would be a good place to start...

jpmoriarty

alternatively, you could just allow certain file types to be uploaded - ie jpg, gif, bmp, txt, doc, html, mp3 etc.

Anything else and (providing you allowed .zip) then you could send an error (saying "cannot upload this file type") and then suggest that they zip it up first before uploading it.

You'll probbaly find that this is actually quicker and more secure than trying to filter out the dangerous ones.

jetta_gt

that is a good idea! i'm just a bit worried of Joe User not knowing what the steps involved in zipping a file up are... This will be using at a college sorerity, so we are not talking about the most savvy computer users... However, the more I think about, I like your idea.

Here are some file extensions that I think I will allow:

.ai
.avi
.rm
.ram
.tiff
.tif
.mp3
.mpg
.mpeg
.mpeg4
.mov
.wav
.aiff
.html
.htm
.xls
.psd
.eps
.doc
.txt
.pdf
.png
.jpeg
.jpg
.gif
.bmp
.zip
.sit
.tar
.gz
.swf (although, could there be some kind of embedded php, I know Flash is getting pretty robust?)

Any others that I should allow?

What would happen to files with no extension, like a file from a Mac, which doesn't require file extensions?

dar-k

As far as I know, PHP can't be embedded in SWF, so it should be ok.
I think you should force Mac users to stick an extension to their filenames.
Macs work just fine with extensions.

K-mikko

Isn´t it so, that the server will not correctly render a php-file hidden in a filename evilfile.php.txt?

I tested it myself, and it outputted the code without rendering it to html. I guess, that the last extension of the file name must be "php" for it to be a proper php-file.

I have also made an "uploadcenter" for my friends and I to use an d there the uploadscript checks by exploding the filename into an array the last extension of the filename. If it contains letters "php", the file will not be uploaded... What do you think, is it easy to fool that system? (Just asking...)

stolzyboy

yes, if you append .txt onto suspected files like .php, .php3, .phtml, etc... then the server can't and won't parse the code, therefore rendering the "harmful" code useless