Better upload security

__berfuzz

Hi!

I trying to fix a upload filter to one of my sites. The site i protected by a login, only 4 users, so one might argue thats theres not likely to be any mischief. Nevertheless, I want to tighten the upload security.

if (($_FILES['file']['type'] != "text/csv"))
{
	$report[] = "Thats not a cvs-file!.";
}

Edit: I accidentally clicked post while previewing, sorry, heres the end of the post.

This works fine as long as the user doesn't try manipulate the file/file-extension. What if a user makes a vicious_phpfile.cvs and uploads it? So whats the freaking problem, why not just get on with it? Well I found some functions in the manual. This is where its getting frustrating. I can't get it to work, no nothing, white death is all I get. mime_content_type or fileinfo I would really appreciate some pointers or help on this one. :-(

NogDog

Is your concern about invalid files what they might do on your server, or what they might do to/for users who download them? (Or both?)

bradgrafelman

überfuzz wrote:
This works fine as long as the user doesn't try manipulate the file/file-extension. What if a user makes a vicious_phpfile.cvs and uploads it?

Even worse; what if I upload this_is_a_deadly_virus.exe and simply tell your PHP script that the filetype is 'text/csv' ? From the manual:

$_FILES['userfile']['type']
The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore [b]don't take its value for granted[/b].[/quote][emphasis added]
As for the filename, you could probably do something like:
if (strtolower(substr($_FILES['file']['name'], -4)) != '.csv')
This at least verifies that the filename ends with '.csv' (although it doesn't guarantee anything about its contents).

__berfuzz

I haven't thought much about different cases. Only that I wish to be ably to prevent users from uploading things that I haven't approved. My aim was to find out a way to scan files thats up for uploading. Like $_FILES['filename']['type'], but I only just found out that it's not checking the file. It's checking for the type given by the browser. An other thing I did was checking files for strings like <?php but I don't know...

Any hints on a good way to prevent user from uploading bad files?