By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
448,837 Members | 1,677 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 448,837 IT Pros & Developers. It's quick & easy.

Safest Way To Validate

P: n/a
I'm writing an upload script and would like to know what is the safest
way to validate a file type that is being uploaded to a server?

I am accepting just bmp, jpg, png, and gif.

Here are is what I have come accross:
$_FILES['userfile']['type'] - I heard this is not safe
$imginfo = getimagesize($filename); - I heard this is safer

Aug 22 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
getimagesize is much safer -- it will try and evaluate the size of the
file - if it cant read it (it is currupt, not an image etc etc) then it
will return false.

if (getimagesize($filename)) {
Process image ...
} else {
Launch missiles at bad people;
}

The beauty of it is that you will no doubt want to store the image size
info anyway so your killing two birds with one stone.

http://us2.php.net/getimagesize

Aug 22 '05 #2

P: n/a
Of course my if is b0rked but you get the idea :D

Aug 22 '05 #3

P: n/a
Depends on what you mean by safe. If by safe you mean the absence of
malicious code, then it's safest to open and resave the image with the
GD functions. PHP Code can be present in valid image files. If there's
a way to get a site to include them (e.g. in a poorl front-controller
design), an attacker would be able to run arbitrary code.

Aug 23 '05 #4

P: n/a
Chung Leong (ch***********@hotmail.com) wrote:
: Depends on what you mean by safe. If by safe you mean the absence of
: malicious code, then it's safest to open and resave the image with the
: GD functions.

I would be concerned about trying to parse the data if you don't trust it
already.

It depends on whether the image parser is designed with the intention of
detecting purposeful errors. Many parsers assume that the data is
basically trusted. Sure they reject obvious problems, but then accept
anything that superficially appears valid - but then blow up if the data
is not valid in an unexpected way. One commonly mentioned denial of
service exploit is to have compressed data that blows up to extremely
large sizes. Since images often contain compression, you could imagine a
carefully constructed "image" that would do that on purpose. A hacker
would upload that image with the hopes that end user browsers would be
hit, but instead hit pay dirt by DOS'ing your whole server when you try to
validate the data.

So I would think that if the image parser is specificly intended to
validate the data then sure, use it to validate the data.

But otherwise it might be a bad idea to parse it unless you need to parse
it anyway for your own internal uses.

(I have no idea whether the GD functions would be good for validating
potentialy malicious data.)

--

This space not for rent.
Aug 23 '05 #5

P: n/a
Somebody wrote:
$_FILES['userfile']['type'] - I heard this is not safe
At bottom, it's user-input. By HTML4.01 browsers SHOULD (that
word wearing its RFC2119 hat) supply 'the appropriate content
type'; in other words there's no formal requirement that a
Content-Type always accompany a file upload request. If set,
however, $_FILES['foo']['type'] is the value of the Content-
Type header the browser sent as part of its form submission,
modulo any interference along the wire. There is the risk as
well of the value being set but, maliciously or otherwise,
being inappropriate.
$imginfo = getimagesize($filename); - I heard this is safer


$_FILES['foo']['type'] is a form (no pun intended!) of user-
input, so almost anything goes; getimagesize() ['mime'], on
the other hand, specifies only one of a limited set of values.
Neither are in themselves unsafe.

--
Jock
Aug 23 '05 #6

P: n/a
fi********@gmail.com wrote:
I'm writing an upload script and would like to know what is the safest
way to validate a file type that is being uploaded to a server?

I am accepting just bmp, jpg, png, and gif.

Here are is what I have come accross:
$_FILES['userfile']['type'] - I heard this is not safe
$imginfo = getimagesize($filename); - I heard this is safer


$tmp = $f_new = $_FILES["control_name"]["tmp_name"];
$type = mime_content_type($dir.$f_tmp);

switch ($type) {
case "image/jpeg":
echo "OK, it's a picture";
case "evil windows virus":
echo "Executables not allowed!"
}
--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)
Aug 24 '05 #7

P: n/a
Kenneth Downs wrote:
fi********@gmail.com wrote:
I'm writing an upload script and would like to know what is the safest
way to validate a file type that is being uploaded to a server?

I am accepting just bmp, jpg, png, and gif.

Here are is what I have come accross:
$_FILES['userfile']['type'] - I heard this is not safe
$imginfo = getimagesize($filename); - I heard this is safer
$tmp = $f_new = $_FILES["control_name"]["tmp_name"];
$type = mime_content_type($dir.$f_tmp);

^^^^^^^^
that's a mistake, s/b: mime_content_type($tmp);

switch ($type) {
case "image/jpeg":
echo "OK, it's a picture";
case "evil windows virus":
echo "Executables not allowed!"
}


--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)
Aug 24 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.