I'm writing an upload script and would like to know what is the safest
way to validate a file type that is being uploaded to a server?

I am accepting just bmp, jpg, png, and gif.

Here are is what I have come accross:
$_FILES['userfile']['type'] - I heard this is not safe
$imginfo = getimagesize($filename); - I heard this is safer

getimagesize is much safer -- it will try and evaluate the size of the
file - if it cant read it (it is currupt, not an image etc etc) then it
will return false.

if (getimagesize($filename)) {
Process image ...
} else {
Launch missiles at bad people;
}

The beauty of it is that you will no doubt want to store the image size
info anyway so your killing two birds with one stone.

http://us2.php.net/getimagesize

Of course my if is b0rked but you get the idea :D

Depends on what you mean by safe. If by safe you mean the absence of
malicious code, then it's safest to open and resave the image with the
GD functions. PHP Code can be present in valid image files. If there's
a way to get a site to include them (e.g. in a poorl front-controller
design), an attacker would be able to run arbitrary code.

Chung Leong (chernyshevsky@hotmail.com) wrote:
: Depends on what you mean by safe. If by safe you mean the absence of
: malicious code, then it's safest to open and resave the image with the
: GD functions.

I would be concerned about trying to parse the data if you don't trust it
already.

It depends on whether the image parser is designed with the intention of
detecting purposeful errors. Many parsers assume that the data is
basically trusted. Sure they reject obvious problems, but then accept
anything that superficially appears valid - but then blow up if the data
is not valid in an unexpected way. One commonly mentioned denial of
service exploit is to have compressed data that blows up to extremely
large sizes. Since images often contain compression, you could imagine a
carefully constructed "image" that would do that on purpose. A hacker
would upload that image with the hopes that end user browsers would be
hit, but instead hit pay dirt by DOS'ing your whole server when you try to
validate the data.

So I would think that if the image parser is specificly intended to
validate the data then sure, use it to validate the data.

But otherwise it might be a bad idea to parse it unless you need to parse
it anyway for your own internal uses.

(I have no idea whether the GD functions would be good for validating
potentialy malicious data.)

--

This space not for rent.

Somebody wrote:
[color=blue]
> $_FILES['userfile']['type'] - I heard this is not safe[/color]

At bottom, it's user-input. By HTML4.01 browsers SHOULD (that
word wearing its RFC2119 hat) supply 'the appropriate content
type'; in other words there's no formal requirement that a
Content-Type always accompany a file upload request. If set,
however, $_FILES['foo']['type'] is the value of the Content-
Type header the browser sent as part of its form submission,
modulo any interference along the wire. There is the risk as
well of the value being set but, maliciously or otherwise,
being inappropriate.
[color=blue]
> $imginfo = getimagesize($filename); - I heard this is safer[/color]

$_FILES['foo']['type'] is a form (no pun intended!) of user-
input, so almost anything goes; getimagesize() ['mime'], on
the other hand, specifies only one of a limited set of values.
Neither are in themselves unsafe.

--
Jock

fingermark@gmail.com wrote:
[color=blue]
> I'm writing an upload script and would like to know what is the safest
> way to validate a file type that is being uploaded to a server?
>
> I am accepting just bmp, jpg, png, and gif.
>
> Here are is what I have come accross:
> $_FILES['userfile']['type'] - I heard this is not safe
> $imginfo = getimagesize($filename); - I heard this is safer[/color]

$tmp = $f_new = $_FILES["control_name"]["tmp_name"];
$type = mime_content_type($dir.$f_tmp);

switch ($type) {
case "image/jpeg":
echo "OK, it's a picture";
case "evil windows virus":
echo "Executables not allowed!"
}


--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)

Kenneth Downs wrote:
[color=blue]
> fingermark@gmail.com wrote:
>[color=green]
>> I'm writing an upload script and would like to know what is the safest
>> way to validate a file type that is being uploaded to a server?
>>
>> I am accepting just bmp, jpg, png, and gif.
>>
>> Here are is what I have come accross:
>> $_FILES['userfile']['type'] - I heard this is not safe
>> $imginfo = getimagesize($filename); - I heard this is safer[/color]
>
> $tmp = $f_new = $_FILES["control_name"]["tmp_name"];
> $type = mime_content_type($dir.$f_tmp);[/color]
^^^^^^^^
that's a mistake, s/b: mime_content_type($tmp);
[color=blue]
>
> switch ($type) {
> case "image/jpeg":
> echo "OK, it's a picture";
> case "evil windows virus":
> echo "Executables not allowed!"
> }
>
>[/color]

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)