[RESOLVED] File validation!

fauvent

Hello there. Its my first post here and yes, Im a newbie, so bear with me. I've been searching for over a week over the internet the solution for this problem and I just don't get it: I have a webpage where anyone can upload a picture for a profile. I tried to make a safety upload with the following "secure" methods:

Checking extension
Checking type with $_FILE['file'][type]
Cleaning the name
Renaming it randomly on upload
Storing it in an "outside of the wwwroot" folder
Adding an .htaccess file with this code inside:

<Directory /_1co-ma--vi1_n/>
deny from all
<Files ~ "^{\w+.(gif|jpe?g|png)$">}
order deny,allow
allow from all
</Files>
<Directory>

The random name of the file stores in MYSQL database and from there I pretend take it as a reference to display the picture. I know I should make some "mime validation" but I just cant get magic.mime working in my shared server. My questions in short are:

Is this validation enough to avoid malicious code injection?
How can I display that picture stored in an "outside wwwroot" folder? (The files names are something like 1dwe3402349f09830239098402938089422 with out any extenuation)
In case that some picture passed all this validation with a comment on it or a hidden malicious code, will be executed when i display it?

Thank you and any help will be very much appreciate!

Here is the code:

$foto=$_POST['archivo'];

// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
        $POST_MAX_SIZE = ini_get('post_max_size');
        $unit = strtoupper(substr($POST_MAX_SIZE, -1));
        $multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));

    if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE)
            HandleError('POST exceeded maximum allowed size.');

// Settings
        $save_path = chdir('../MyFolder/');
		$upload_name = 'archivo';                                       // change this accordingly
        $max_file_size_in_bytes = 1048576;                          // 1MB in bytes
        $whitelist = array('jpg', 'png', 'gif');       // Allowed file extensions
        $backlist = array('php', 'php3', 'php4', 'phtml','exe'); // Restrict file extensions
        $valid_chars_regex = 'A-Za-z0-9_-s ';// Characters allowed in the file name (in a Regular Expression format)

// Other variables
        $MAX_FILENAME_LENGTH = 260;
        $file_name = $_FILES['archivo']['name'];
        $file_extension = '';
        $uploadErrors = array(
        0=>'There is no error, the file uploaded with success',
        1=>'Ha excedido el tamaño máximo permitido por el servidor <A HREF="javascript:history.go(-1)">Volver</a>',
        2=>'Ha excedido el tamaño máximo permitido por la forma <A HREF="javascript:history.go(-1)">Volver</a>',
        3=>'El archivo se ha salvado sólo parcialmente <A HREF="javascript:history.go(-1)">Volver</a>',
        4=>'Debe adjuntar una foto para continuar <A HREF="javascript:history.go(-1)">Volver</a>',
        6=>'No se ha encontrado el archivo temporal <A HREF="javascript:history.go(-1)">Volver</a>'
        );

// Validate the upload
        if (!isset($_FILES[$upload_name]))
                HandleError('No upload found in $_FILES for ' . $upload_name);
        else if (isset($_FILES[$upload_name]['error']) && $_FILES[$upload_name]['error'] != 0)
                HandleError($uploadErrors[$_FILES[$upload_name]['error']]);
        else if (!isset($_FILES[$upload_name]['tmp_name']) || !@is_uploaded_file($_FILES[$upload_name]['tmp_name']))
                HandleError('Upload failed is_uploaded_file test.');
        else if (!isset($_FILES[$upload_name]['name']))
                HandleError('File has no name.');

// Validate the file size (Warning: the largest files supported by this code is 2GB)
        $file_size = @filesize($_FILES[$upload_name]['tmp_name']);
        if (!$file_size || $file_size > $max_file_size_in_bytes)
                HandleError('El archivo excede el límite máximo <A HREF="javascript:history.go(-1)">Volver</a>');
        if ($file_size <= 0)
                HandleError('El archivo es demasiado pequeño');
// Validate its a MIME Images (Take note that not all MIME is the same across different browser, especially when its zip file)
        if(!eregi('image/', $_FILES[$upload_name]['type']))
                HandleError('Por favor suba un archivo válido <A HREF="javascript:history.go(-1)">Volver</a>');

// Validate that it is an image
        $imageinfo = getimagesize($_FILES[$upload_name]['tmp_name']);
        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/png' && isset($imageinfo))
                HandleError('Lo sentimos, solo se aceptan archivos JPG, PNG y GIFF <A HREF="javascript:history.go(-1)">Volver</a>');

// Validate file name (for our purposes we'll just remove invalid characters)
		 $fname = $_FILES[$upload_name]['name'];
		 $file_name_cleaned = preg_replace("/[^a-zA-Z0-9\.]/", "", strtolower($fname));
		 if (strlen($file_name_cleaned) == 0 || strlen($file_name_cleaned) > $MAX_FILENAME_LENGTH)
		   	    HandleError('El nombre del archivo es inválido <A HREF="javascript:history.go(-1)">Volver</a>');		 

// Validate that we won't over-write an existing file
        if (file_exists($save_path . $file_name_cleaned))
                HandleError('Un archivo con ese nombre ya existe <A HREF="javascript:history.go(-1)">Volver</a>');

// Validate file extension
		$ext  = strtolower(end(explode('.', $_FILES['archivo']['name'])));
		if (in_array($ext, $whitelist) === false){
			HandleError('La extención del archivo que intenta subir no esta permitida <A HREF="javascript:history.go(-1)">Volver</a>');
			}

// Rename the file to be saved
        $file_name_random = md5($file_name_cleaned. time());

// Verify! Upload the file
        if (!@move_uploaded_file($_FILES[$upload_name]['tmp_name'], $save_path.$file_name_random)) {
                HandleError('El archivo no ha podido ser guardado');
        }

/* Handles the error output. */
		$message='Este archivo parece corrupto. No es posible guardarlo <A HREF="javascript:history.go(-1)">Volver</a>';
		function HandleError($message) {
        echo $message;
        exit(0);
				}

/*
********************************************* 
*************Mysqul conection****************
********************************************* 
*/

include('database_connection.php');

/*
********************************************* 
**************User validation****************
********************************************* 
*/

$result = mysql_query("select * from MyTable WHERE user LIKE '%$user%'");
$num_rows = mysql_num_rows($result);

if($num_rows > 0)
	{
	HandleError('The user name you choose already exist <A HREF="javascript:history.go(-1)">Volver</a>');
	}

/*
********************************************* 
***********Curriculum validation*************
********************************************* 
*/

$curriculum_lenght = strlen($curriculum);
if ($curriculum_lenght > 600) {
	HandleError('Your curriculum lenght exide 600 characters <A HREF="javascript:history.go(-1)">Volver</a>');
	}

bradgrafelman

Welcome to PHPBuilder!

Before addressing your questions directly, let me first comment on some of your "'secure' methods":

fauvent;10997793 wrote:
2. Checking type with $_FILE['file'][type]

I would omit this step, since the MIME-type reported in that field is the one provided by the client; in other words, I could upload "my_file.jpg.exe" and claim it is of type "image/jpeg" and that is exactly what PHP would populate in the ['type'] array index. So it's pretty much useless. :p

fauvent;10997793 wrote:
5. Storing it in an "outside of the wwwroot" folder

Any particular reason you want to do this?

fauvent;10997793 wrote:
6. Adding an .htaccess file with this code inside:

Er, wait a minute - didn't you just say you were going to store the files "outside of the wwwroot" ? If so, it doesn't really make sense to create a .htaccess file in that directory, since it presumably should never be read or used in any way.

fauvent;10997793 wrote:
1. Is this validation enough to avoid malicious code injection?

I guess that would depend upon your definition of "malicious code injection."

If you're talking about SQL injections, for example, then none of the above are necessary - simply sanitize the data like you would any other string. If you're talking about hidden resource exploits (e.g. buried inside of valid image data), then none of the above will stop that.

fauvent;10997793 wrote:
2. How can I display that picture stored in an "outside wwwroot" folder?

You'd have to create another PHP script whose purpose is to retrieve and output the binary contents of a given image, and then you'd place that PHP script inside your "wwwroot" directory. Thus, all <img> elements and whatnot would be pointed to that PHP script (probably passing along which image they're after via the query string).

fauvent;10997793 wrote:
In case that some picture passed all this validation with a comment on it or a hidden malicious code, will be executed when i display it?

Again, that depends on what you mean by a "hidden malicious code."

fauvent

Hello bradgrafelman, thank you for taking time to read my thread.

I read that saving the file outside of the "wwwroot" gives an extra layer protection since the file is harder to find. Now, the file will be executed when will be displayed, am I right?

The file wont be saved as blob in mysql, but will be saved only as a reference string.

What you would recommend to make the upload more secure?
How can someone be protected from hidden resource exploits, like buried inside of valid image data?

Thank you

johanafm

fauvent;10997826 wrote:
I read that saving the file outside of the "wwwroot" gives an extra layer protection since the file is harder to find. Now, the file will be executed when will be displayed, am I right?

An image should never be "executed". That is the purpose of executable files. An image might be displayed by executing some other application whose purpose is to display images.

fauvent;10997826 wrote:
What you would recommend to make the upload more secure?

Once again, for what purpose?

A few things that may or may not apply
1. To prevent people without some means of authenticating themselves from accessing the images, either place the image outside of docroot OR use .htaccess to prevent direct access. Use a php script to retrieve image data.
2. Use https
3. Keep your php installation continously updated
4. Use [man]getimagesize[/man] to find out the mime type
5. Keep track of which user uploads what image
6. Don't display images until they have been manually verified to meet whatever criteria you have
7. Limit max upload file size in php.ini. This size should be lower than max post size, since max post involves everything in one post request, while file size applies to each individual file. There may also be more than image data sent with one form.
8. Keep max upload file size roughly 1/6 of max memory usage if you ever plan to use gd to manipulate the images, such as create thumbnails of them.
9. Do not let new users upload images. Demand that an account is older than N days before allowing uploads.
10. Ascertain that the random file name you generate doesn't allready exist.
11. If you will have, or will get, lots of images break off 2x2 characters (or more) in the beginning of the created filename and use those two parts to create a folder structure. Thus, your example file name 1dwe3402349f09830239098402938089422 would turn into 1d/we/3402349f09830239098402938089422. You do not want more than a few hundred thousand files per directory, probably less. In reality, the limit depends on the OS used.

I'm not saying that all of these measure should be taken. It depends completely on your needs.

fauvent;10997826 wrote:
How can someone be protected from hidden resource exploits, like buried inside of valid image data?

Such exploits depend on the application used to display the image. Thus the answer is to use an application which is not vulnerable. As usual, this also means to keep such an application continously updated.

fauvent

Thank you for the answer, I think I just been making wrong the questions. Thanks anyway. I will investigate deep in the topics that you already mention

Thank you so much guys!