MIME Types

jwb666

i am doing a file upload page, but i dont want any code like PHP files or JavaScript.

But i dont know hardly any MIME types, is PHP a text/plain or does it have it's own mime type?

here is my code that blocks some mime types:

$userfile_type = $HTTP_FILE_VARS['file']['type']
#or something like that, i can't remember it excatly, but it works,
#ive tested it.

if ($userfile_type="text/plain")
#it wont be text/plain when i do it properly
{
echo ("File is plain text. This file is not allowed please choose another file");
exit;
}

what i wnated to know is

Can you block certain extensions ike .php or .jsp?
If not, what are the MIME types for JavaScript, PHP and other codes which could be a security risk?

Thanks 🙂

_e_r_k

Here is a list of all MIME-types:

http://www.webmaster-toolkit.com/mime-types.shtml

I also discovered an error in your code. You must change the line if ($userfile_type="text/plain") to
if ($userfile_type=="text/plain"), otherwise it will not work properly.

seby

you are on the right track.. something like this is what your looking for:

<?php
$filetype = $_FILES['file']['type'];

if ($filetype == 'text/plain')
{ 
	// txt file type allowed. do whatever ..
}
else
{
	die('This file is not allowed please choose another file'); 
}
?>

_e_r_k

Originally posted by jwb666
...what are the MIME types for JavaScript, PHP and other codes which could be a security risk?

PHP = application/octet-stream
ASP = text/asp
JavaScript = text/javascript

jwb666

thanks a lot!

and as for the error in the code, i know about that, I was just typing quick (i only had about 30 secs left of my lunch break). One more question:

[e]r!k already said the MIME's for PHP, ASP, and JavaScript. What I want to know is if there are any more types of files that could be a security risk?

thanks again!

seby

why dont you allow 1 - 2 mime types and ignore everything else? its much safer to allow just zips and txt for example.

jwb666

yeah, but the site is actually about modifications for games, so there are absoblutely tons of different file types, with all the anims, graphics, and tiki files. And maps.... and I want people to be able to upload files non-related to mapping aswell. So iy would be difficult to just allow 1 or 2 file types. Also, some file extensions are so unusual I don't think I'll find MIME types for them. Thanks anyways, though!

MungoBBQ

Just remember that a .php-file will have the MIME-type text/plain when it is uploaded! There is really no other way for you to find out if an uploaded text file contains PHP or not than searching for "<?" in the text file. Of course, you could exclude all uploaded files ending with ".php" too, but PHP could still be uploaded as a ".txt" file.

jwb666

how can I block certain extensions? would it be something like this:

$file_name = $HTTP_FILE_VARS['file']['name']

if ($filename == "*.php" or "*.jsp")
{
echo ("file is a PHP or JavaScript file, which are not allowed due to security reasons. Please select another file.")
}

and also, if a PHP file is uploaded as a .txt, surely it could do no harm, the server would not recognise it as a
php file?

MungoBBQ

No, if they are uploaded as .txt they would be harmless, that is correct.

Check for suffices like so:

if (eregi(".php", $filename)) { // Filename has ".php" in it

  }

jwb666

thanks!

know all i need to know is: what are the code extensions that are dangerous to my server, like .jsp and .php?

i'm sure there are more. But stuff like c++ isn't a problem because they would be downloaded not opened on the server, wouldn't they?