By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,349 Members | 1,353 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,349 IT Pros & Developers. It's quick & easy.

Safely uploading files

P: n/a
What is the best way to sanitize and check the validity of an uploaded
file? I don't seem to see any functions that will check a file is what
it purports to be.
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk - http://4theweb.co.uk
Sep 3 '08 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Geoff Berrow wrote:
What is the best way to sanitize and check the validity of an uploaded
file? I don't seem to see any functions that will check a file is what
it purports to be.
Handling file uploads: http://nl.php.net/manual/en/features.file-
upload.php

It depends on your case how you would check the uploaded file. In any
case, you do not want to allow uploading .php files to a location which
allows executing them.

If you want to allow only a certain type of files you may find the unix
'file' command useful, which tries to determine the file type from the
content of a file. If you only allow images, you may use GD or
ImageMagick to check whether the images are valid. However, this would
still allow things as the JPEG/GDI+ exploit, where it is possible to
upload a malicious file as a valid JPEG.

What files do you want to allow?
Sep 3 '08 #2

P: n/a
Message-ID: <2b***************************@news.chello.nlfro m Sjoerd
contained the following:
>
What files do you want to allow?
..doc .docx and .ppt
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk - http://4theweb.co.uk
Sep 3 '08 #3

P: n/a
On 3 Sep, 23:51, Geoff Berrow <blthe...@ckdog.co.ukwrote:
Message-ID: <2b***************************@news.chello.nlfro m Sjoerd
contained the following:
What files do you want to allow?

.doc .docx and .ppt
And you want to make sure they're not malware?

Short answer is you can't: this is why a lot of people don't like
Microsoft's products and file formats, or inded any proprietary
formats.

You could run a virus checker on them and keep your fingers crossed.

Normally I'd recommend converting them to a different format (e.g. PNG
to TIFF) then, optionally converting them back again, and there are
tools like wv which will convert .doc files without too uch loss of
information to HTML, or if you're realy masochistic use the automation
features in OpenOffice.

C.
Sep 4 '08 #4

P: n/a
Geoff Berrow wrote:
What is the best way to sanitize and check the validity of an uploaded
file? I don't seem to see any functions that will check a file is what
it purports to be.

If the intent is to keep someone from executing something on your
server, I upload the file to a directory that is NOT in the htdocs
directory structure and is not visible to the web server except via your
php script therefore preventing them from crafting something that will
execute it.

I used something I copied from someoneelse searching for "php upload
multiple files".

I also do not use MAC, Windows or UNIX which allows me much more control
over where/when/how/who can access files.
Sep 5 '08 #5

P: n/a
Message-ID: <LV*******************@nlpi066.nbdc.sbc.comfrom Michael
Austin contained the following:
>If the intent is to keep someone from executing something on your
server, I upload the file to a directory that is NOT in the htdocs
directory structure and is not visible to the web server except via your
php script therefore preventing them from crafting something that will
execute it.

I do that too but I have more problems than that. Academics login
(using a previously verified email address) and upload papers. The
files are checked to see that they are of the allowable filetypes and
then renamed and saved in a folder above the webroot.. The trackleaders
then log in and can download the papers for evaluation.

So, not only do I need to protect the server, I'd like to protect the
trackleaders as well. Or should I write a disclaimer saying I can't be
responsible for the content?
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk - http://4theweb.co.uk
Sep 5 '08 #6

P: n/a
Geoff Berrow wrote:
Message-ID: <LV*******************@nlpi066.nbdc.sbc.comfrom Michael
Austin contained the following:
>If the intent is to keep someone from executing something on your
server, I upload the file to a directory that is NOT in the htdocs
directory structure and is not visible to the web server except via your
php script therefore preventing them from crafting something that will
execute it.


I do that too but I have more problems than that. Academics login
(using a previously verified email address) and upload papers. The
files are checked to see that they are of the allowable filetypes and
then renamed and saved in a folder above the webroot.. The trackleaders
then log in and can download the papers for evaluation.

So, not only do I need to protect the server, I'd like to protect the
trackleaders as well. Or should I write a disclaimer saying I can't be
responsible for the content?
You definitely need a disclaimer. No matter how much you check them,
you can always miss something. And you don't want to get sued because
someone plagiarized someone else's work.

And you won't be able to tell for sure what type a document is. For
instance, you can't be 100% assured this is a MS Word doc. You can get
close with a lot of work, but never 100%.

My suggestion would be to parse the file for things like <?php, etc.
Definitely run a virus scanner against the file. If you don't find
anything dangerous, continue the processing. Otherwise reject the
upload and tell the user why.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Sep 5 '08 #7

This discussion thread is closed

Replies have been disabled for this discussion.