Limiting allowed file format for upload...

bagpuss03

Hello,

I don't really know much about php and needed to make a web contact form for a client where the user can upload images which are then sent as an attachment with the resulting email.

I kind of cheated and bought a bit of software which creates the script for you. This works great, but I am concerned about people uploading things other than images - especially after seeing this thread:

http://www.phpbuilder.com/board/showthread.php?t=10315994&highlight=upload+email+file+type

Now, obviously there is a bit of script in one of the replies which addressed my issue, but I don't know enough about php to adapt it for my own script. Therefore, I was wondering if someone would be so kind as to point out where I need to make changes and what those changes would be.

I need to allow only common image files and to disallow any of the nasty stuff described in the above thread.

I have created this stripped down script with my software, which addresses the essentials of uploaded image and resulting email to which it is attached, plus a section which deals with errors, http referers and stop words for security. The actual script includes more fields, but I thought it would take up too much space!

<?PHP

DEFINE('kOptional', True);
DEFINE('kMandatory', False);




error_reporting(E_ERROR | E_WARNING | E_PARSE);
ini_set('track_errors', true);

#----------
# Filter by Stop Words

function stopwords_check()
{

 $specialchars = array('?', '\\', '.', '[', ']', '^', '$', '/');
 $escapedchars = array('\\?', '\\\\', '\\.', '\\[', '\\]', '\\^', '\\$', '\\/');

 $bannedstopwords[] = 'sex';
 $bannedstopwords[] = 'sexual';
 $bannedstopwords[] = 'explicit';
 $bannedstopwords[] = 'hack';
 $bannedstopwords[] = 'hacker';


 foreach ($_POST as $fieldname => $fieldvalue) {
  foreach ($bannedstopwords as $stopword_key => $stopword_value) {
   $stopword_value = str_replace($specialchars, $escapedchars, $stopword_value);
   $pattern = "/.*$stopword_value.*/i";
   if (is_array($fieldvalue)) {
    $fieldvalue = implode(",", $fieldvalue);
   }
   if (preg_match($pattern, $fieldvalue)) {
    header("Location: http://www.mydomain.com/forbidden.html");
    exit;
   }
  }
 }
}

#----------
# Filter by Referer

function referer_check()
{

 $allowedreferers[] = 'http://mydomain.com';
 $allowedreferers[] = 'http://www.mydomain.com';

 $notfound = true;
 foreach ($allowedreferers as $referer_key => $referer_value) {
  if ($referer_value == $_SERVER['HTTP_REFERER']) {
   $notfound = false;
   break;
  }
 }

 if ($notfound === true) {
  header("Location: http://www.mydomain.com/forbidden.html");
  exit;
 }
}

function DoStripSlashes($FieldValue) 
{ 
 if ( get_magic_quotes_gpc() ) { 
  if (is_array($FieldValue) ) { 
   return array_map('DoStripSlashes', $FieldValue); 
  } else { 
   return stripslashes($FieldValue); 
  } 
 } else { 
  return $FieldValue; 
 } 
}

#----------
# FilterCChars:

function FilterCChars($TheString)
{
 return preg_replace('/[\x00-\x1F]/', '', $TheString);
}

#----------
# Validate: Email

function check_email($email, $optional)
{
 if ( (strlen($email) == 0) && ($optional === true) ) {
  return true;
 } elseif ( eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email) ) {
  return true;
 } else {
  return false;
 }
}



if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
 $ClientIP = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
 $ClientIP = $_SERVER['REMOTE_ADDR'];
}

stopwords_check();
referer_check();
$FTGMAX_FILE_SIZE = DoStripSlashes( $_REQUEST['MAX_FILE_SIZE'] );
$FTGuserfile = $_FILES['userfile']['name'];
$FTGemail = DoStripSlashes( $_REQUEST['email'] );

$FTGMAX_FILE_SIZE = strip_tags($FTGMAX_FILE_SIZE);
$FTGemail = strip_tags($FTGemail);

# Fields Validations

$ValidationFailed = false;

if (!check_email($FTGemail, kMandatory)) {
 $ValidationFailed = true;
 $FTGemail_errmsg = "Please enter a valid email address!";
 $ErrorList .= $FTGemail_errmsg . '<br/>';
}


# Embed error page and dump it to the browser

if ($ValidationFailed == true) {

 $FileErrorPage = 'http://www.mydomain.com/error.html';

 if (file_exists($FileErrorPage) === false) {
  echo 'The error page: <b>' . $FileErrorPage. '</b> cannot be found on the server.';
  exit;
 }

 $FileHandle = fopen ($FileErrorPage, "r");
 $ErrorPage = fread ($FileHandle, filesize($FileErrorPage));
 fclose ($FileHandle);

 $ErrorPage = str_replace('<!--VALIDATIONERROR-->', $ErrorList, $ErrorPage);

 $ErrorPage = str_replace('<!--FIELDVALUE:MAX_FILE_SIZE-->', $FTGMAX_FILE_SIZE, $ErrorPage);
 $ErrorPage = str_replace('<!--FIELDVALUE:userfile-->', $FTGuserfile, $ErrorPage);
 $ErrorPage = str_replace('<!--FIELDVALUE:email-->', $FTGemail, $ErrorPage);
 $ErrorPage = str_replace('<!--ERRORMSG:email-->', $FTGemail_errmsg, $ErrorPage);


 echo $ErrorPage;
 exit;

}
# Email to Form Owner

$emailSubject = FilterCChars("You file");

$emailBody = "--FTG_BOUNDRY\n"
 . "Content-Type: text/plain; charset=\"ISO-8859-1\"\n"
 . "Content-Transfer-Encoding: 8bit\n"
 . "\n"
 . "Here is your file\n"
 . "\n"
 . "File name : $FTGuserfile\n"
 . "email : $FTGemail\n"
 . ""
 . "\n";

if ( is_uploaded_file($_FILES['userfile']['tmp_name']) ) {

 $fileName = $_FILES['userfile']['tmp_name'];
 $fileHandle = fopen($fileName, 'r');
 $fileAttach = fread($fileHandle, filesize ($fileName));
 fclose($fileHandle);

 $fileAttach = chunk_split(base64_encode($fileAttach));

 $emailBody .= "--FTG_BOUNDRY\n"
  . "Content-Type: " . $_FILES['userfile']['type'] . "; name=\"" . $_FILES['userfile']['name'] . "\"\n"
  . "Content-disposition: attachment\n"
  . "Content-transfer-encoding: base64\n"
  . "\n"
  . "$fileAttach\n"
  . "\n";
}



$emailBody .= "--FTG_BOUNDRY--\n";
 $emailTo = "Fred <email@mydomain.com>";

 $emailFrom = FilterCChars("email@mydomain2.com");

 $emailHeader = "From: [email]email@mydomain2.com[/email]\n"
  . "MIME-Version: 1.0\n"
  . "Content-Type: multipart/mixed; boundary=\"FTG_BOUNDRY\"\n"
  . "This is a multi-part Content MIME format.\n";

 mail($emailTo, $emailSubject, $emailBody, $emailHeader);


# Redirect user to success page

header("Location: http://www.mydomain.com/success.html");
exit;
?>

Any advice woule be greatly appreciated!

Thanks 🙂

bpat1434

Simple enough. I gave you a starting point, the modifications, and the ending point in your code so you should see where it goes. Not a large modification, just a small one.

$emailBody = "--FTG_BOUNDRY\n"
. "Content-Type: text/plain; charset=\"ISO-8859-1\"\n"
. "Content-Transfer-Encoding: 8bit\n"
. "\n"
. "Here is your file\n"
. "\n"
. "File name : $FTGuserfile\n"
. "email : $FTGemail\n"
. ""
. "\n"; 

/** START MODIFICATIONS **/
$allowed_types = array( // List all allowed MIME Types here
					'image/gif', 
					'image/jpeg',
					'image/tiff',
					'image/bmp',
					'image/photoshop',
					'image/png',
					'image/tif',
				);

if ( is_uploaded_file($_FILES['userfile']['tmp_name']) && in_array($_FILES['userfile']['type'], $allowed_types) ) {

/** END OF MODIFICATIONS **/

$fileName = $_FILES['userfile']['tmp_name'];
$fileHandle = fopen($fileName, 'r');
$fileAttach = fread($fileHandle, filesize ($fileName));
fclose($fileHandle);

$fileAttach = chunk_split(base64_encode($fileAttach));

$emailBody .= "--FTG_BOUNDRY\n"
  . "Content-Type: " . $_FILES['userfile']['type'] . "; name=\"" . $_FILES['userfile']['name'] . "\"\n"
  . "Content-disposition: attachment\n"
  . "Content-transfer-encoding: base64\n"
  . "\n"
  . "$fileAttach\n"
  . "\n";
}

bagpuss03

Hi,

Thanks for your reply. I did as you said and tested the script by uploading .gif and .bmp which were sent successfully with the email. I tested .doc with was disallowed (the email was sent without the attachment). However, I cannot upload .jpeg even though it is in the list of allowed types. I thought this might be because I was uploading a .jpg and not a .jpeg (any difference?) and added image/jpg to the list. This made no difference.

I had managed to upload the same .jpg file before I edited the script, so what's the problem? :bemused:

Thanks for your help

bpat1434

Perhaps the file you're using isn't a jpeg 😉 I'm not 100% sure. According to w3c, image/jpeg should account for:
.jpeg, .jpg, .jpe
files.

Reference

One thing is that perhaps, PERHAPS your server doesn't have the MIME-Type registered; although, doubtful. But it's a possiblity that the MIME-Type isn't registered so that .jpg, .jpe, and .jpeg are image/jpeg.

bagpuss03

these are some of the mime_types on my server. As you can see, image/jpeg is included, although not image/photoshop.

image/bmp = bmp

image/gif = gif

image/jpeg = jpeg jpg jpe

image/png = png

image/tiff = tiff tif

Seems strange. I'll have to play around and hope something works!!

bagpuss03

I went to the forum for my web host and asked if anyone knew what was going on and someone suggested I temporarily pop an extra bit of code in to tell me what the problem was.

The result was that I added image/pjpeg to the array (god knows why - it doesn't even seem to be listed on my server) et voila! I can now receive .jpgs! Very strange...

Now do you think there is anything else I should be doing to make sure these allowed file types are the ONLY file types I get?

bpat1434

What else can you do? If you try and execute them, you risk running the malicious program. It's kind of a catch-22. You either trust them with this small security measure in place, or do you want to risk running malicous code hidden in a .jpg file on the off chance someone can fake the Mime-type? Really the choice is yours. But I can't think of much else.

Weedpacket may have another idea...... although I think it would involve reading part of the file... not sure.

bagpuss03

Since people can "fake" mime_types, can I also add something to the script that would limit file extensions after the first period?

bpat1434

Sure:

$extArray = array('jpg', 'jpeg', 'gif', 'png', 'bmp');

if(in_array(substr($filename, strrpos($filename, '.')+1), $extArray) {
  // Okay
} else {
  // not okay
}

Just add that as needed.....

bagpuss03

Would I just put this in the same place as the mime_types? i.e.:

$emailBody = "--FTG_BOUNDRY\n" 
. "Content-Type: text/plain; charset=\"ISO-8859-1\"\n" 
. "Content-Transfer-Encoding: 8bit\n" 
. "\n" 
. "Here is your file\n" 
. "\n" 
. "File name : $FTGuserfile\n" 
. "email : $FTGemail\n" 
. "" 
. "\n"; 

/** START MODIFICATIONS **/ 
$allowed_types = array( // List all allowed MIME Types here 
                    'image/gif', 
                    'image/jpeg', 
                    'image/tiff', 
                    'image/bmp', 
                    'image/photoshop', 
                    'image/png', 
                    'image/tif', 
                ); 

$extArray = array('jpg', 'jpeg', 'gif', 'png', 'bmp'); 

if ( is_uploaded_file($_FILES['userfile']['tmp_name']) && in_array($_FILES['userfile']['type'], $allowed_types) && in_array(substr($filename, strrpos($filename, '.')+1), $extArray ) { 

/** END OF MODIFICATIONS **/ 

$fileName = $_FILES['userfile']['tmp_name']; 
$fileHandle = fopen($fileName, 'r'); 
$fileAttach = fread($fileHandle, filesize ($fileName)); 
fclose($fileHandle); 

$fileAttach = chunk_split(base64_encode($fileAttach)); 

$emailBody .= "--FTG_BOUNDRY\n" 
  . "Content-Type: " . $_FILES['userfile']['type'] . "; name=\"" . $_FILES['userfile']['name'] . "\"\n" 
  . "Content-disposition: attachment\n" 
  . "Content-transfer-encoding: base64\n" 
  . "\n" 
  . "$fileAttach\n" 
  . "\n"; 
}

or would it go somewhere else? Don't forget I'm new to php, so forgive me if this is a stupid question!

If it goes somewhere else, would you mind showing me where, like you did before? Thanks for your patience!

bpat1434

nope, that's right

bagpuss03

Thanks for getting back to me. I just tried the script exactly as I had done it above and got:

Parse error: syntax error, unexpected '{' in /home/username/public_html/process-format2.php on line 365

line 365 being the line starting: If (is_uploaded_file...

Surely this { is needed? It was there before and didn't cause a problem?

bpat1434

You forgot a closing ")" in the if() statment.

bagpuss03

Well that's just typical! I managed to clear up that little problem and now the script is not attaching ANY images to my email. I have tried with .gif and .jpg and neither are being received.

If I wasn't so paranoid about people trying to hack into my site I'd say *%^$ it! But I am, so yet again, I ask your advice... :o

bpat1434

Well, let me check it out....

Okay, so look at this bit:

in_array(substr($filename, strrpos($filename, '.')+1), $extArray )

Now, where is $filename defined? $filename should either be defined OR replaced with $_FILES['userfile']['name']

bagpuss03

Excellent!!

I replaced $POST with $FILES cos $POST did not work. I even managed to redirect the user to a FORBIDDEN! page if they try and upload something they shouldn't.

OK - I'm gonna let it loose on the world now and hope my security measures are enough!!

Thank you for all your wisdom and patience!

bpat1434

Yeah... sorry about that. Should have been $_FILES in the first place... not sure what I was thinking 0🙂

Have fun!! It should be okay though. Come back with any issues you find.