I'm writing an upload script and would like to know what is the safest
way to validate a file type that is being uploaded to a server?
I am accepting just bmp, jpg, png, and gif.
Here are is what I have come accross:
$_FILES['userfile']['type'] - I heard this is not safe
$imginfo = getimagesize($f ilename); - I heard this is safer 7 1613
getimagesize is much safer -- it will try and evaluate the size of the
file - if it cant read it (it is currupt, not an image etc etc) then it
will return false.
if (getimagesize($ filename)) {
Process image ...
} else {
Launch missiles at bad people;
}
The beauty of it is that you will no doubt want to store the image size
info anyway so your killing two birds with one stone. http://us2.php.net/getimagesize
Of course my if is b0rked but you get the idea :D
Depends on what you mean by safe. If by safe you mean the absence of
malicious code, then it's safest to open and resave the image with the
GD functions. PHP Code can be present in valid image files. If there's
a way to get a site to include them (e.g. in a poorl front-controller
design), an attacker would be able to run arbitrary code.
Chung Leong (ch***********@ hotmail.com) wrote:
: Depends on what you mean by safe. If by safe you mean the absence of
: malicious code, then it's safest to open and resave the image with the
: GD functions.
I would be concerned about trying to parse the data if you don't trust it
already.
It depends on whether the image parser is designed with the intention of
detecting purposeful errors. Many parsers assume that the data is
basically trusted. Sure they reject obvious problems, but then accept
anything that superficially appears valid - but then blow up if the data
is not valid in an unexpected way. One commonly mentioned denial of
service exploit is to have compressed data that blows up to extremely
large sizes. Since images often contain compression, you could imagine a
carefully constructed "image" that would do that on purpose. A hacker
would upload that image with the hopes that end user browsers would be
hit, but instead hit pay dirt by DOS'ing your whole server when you try to
validate the data.
So I would think that if the image parser is specificly intended to
validate the data then sure, use it to validate the data.
But otherwise it might be a bad idea to parse it unless you need to parse
it anyway for your own internal uses.
(I have no idea whether the GD functions would be good for validating
potentialy malicious data.)
--
This space not for rent.
Somebody wrote: $_FILES['userfile']['type'] - I heard this is not safe
At bottom, it's user-input. By HTML4.01 browsers SHOULD (that
word wearing its RFC2119 hat) supply 'the appropriate content
type'; in other words there's no formal requirement that a
Content-Type always accompany a file upload request. If set,
however, $_FILES['foo']['type'] is the value of the Content-
Type header the browser sent as part of its form submission,
modulo any interference along the wire. There is the risk as
well of the value being set but, maliciously or otherwise,
being inappropriate.
$imginfo = getimagesize($f ilename); - I heard this is safer
$_FILES['foo']['type'] is a form (no pun intended!) of user-
input, so almost anything goes; getimagesize() ['mime'], on
the other hand, specifies only one of a limited set of values.
Neither are in themselves unsafe.
--
Jock fi********@gmai l.com wrote: I'm writing an upload script and would like to know what is the safest way to validate a file type that is being uploaded to a server?
I am accepting just bmp, jpg, png, and gif.
Here are is what I have come accross: $_FILES['userfile']['type'] - I heard this is not safe $imginfo = getimagesize($f ilename); - I heard this is safer
$tmp = $f_new = $_FILES["control_na me"]["tmp_name"];
$type = mime_content_ty pe($dir.$f_tmp) ;
switch ($type) {
case "image/jpeg":
echo "OK, it's a picture";
case "evil windows virus":
echo "Executable s not allowed!"
}
--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )
Kenneth Downs wrote: fi********@gmai l.com wrote:
I'm writing an upload script and would like to know what is the safest way to validate a file type that is being uploaded to a server?
I am accepting just bmp, jpg, png, and gif.
Here are is what I have come accross: $_FILES['userfile']['type'] - I heard this is not safe $imginfo = getimagesize($f ilename); - I heard this is safer $tmp = $f_new = $_FILES["control_na me"]["tmp_name"]; $type = mime_content_ty pe($dir.$f_tmp) ;
^^^^^^^^
that's a mistake, s/b: mime_content_ty pe($tmp); switch ($type) { case "image/jpeg": echo "OK, it's a picture"; case "evil windows virus": echo "Executable s not allowed!" }
--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com ) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: martinnitram |
last post by:
Dear all,
in python, a thread can be created by t = threading.Thread. But i
found that when the main (and the thread) program is running and user
use Crtl+C/Crtl+Z to break the program abnormally, the thread is still
running and needed to kill manually (by the pid). Is there had any
safest way to kill/exit the thread program under python (when the
thread program part is a forever loop)?
Thank a lot
|
by: Joseph Turian |
last post by:
Hi,
What is the safest manner to extend search path for modules, minimizing
the likelihood of shooting oneself in the foot?
The system (which includes scripts and their shared modules) may be
checked out in several different locations, but a script in a
particular checked-out version of the system should only use modules
from that checkout location.
|
by: Jim Heavey |
last post by:
When should you use the Page.Validate() method? I thought you would use this method if you have some Server side validation (CustomControl's) you wanted to use and this would cause them to be invoked. I am probably wrong about that.
If I am suppose to use this function, the edits seemed to be invoked even when you have pressed the cancel and the "CausesValidation" is set to false. Is there a way to get around this (might just be an...
|
by: jjbutera |
last post by:
I know how to use the ErrorProvider in my winforms..or do I? I validate
the values and set the ErrorProvider in the validating event. If not
valid, I set e.Cancel = True. I clear the ErrorProvider in the
validated event.
Is there a way to know if all validated controls pass validation when
the user clicks an OK button? In ASP.Net there's the Page.IsValid
method. Is there something similar in winforms, or do I still have to
write an...
|
by: Aussie Rules |
last post by:
Hi,
I have a few aspx (.net2) form.
The first form allows the user to enter into text box, and select values
from drop downs
The second form needs to use these values to process some data.
I am currently using the url to pass the values such as
| |
by: Mike Hofer |
last post by:
Please forgive the cross-post to multiple forums. I did it
intentionally, but I *think* it was appropriate given the nature of my
question.
I'm working on an open source code library to help automate and clean
up parameter validation code. It's almost ready to go into open beta.
But one last little glitch is holding me up, and that would be the
name of the factory class that serves as the entry point into the
library: Validate.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |