Geek Answers Handbook

How to verify that the downloaded file is a video?

I have a server on which there is very important information, so security is a big problem. The user must be able to upload videos. I know that allowing users to upload files poses a security risk because there is no 100% way to prevent them from downloading non-videos. But I obviously can choose the files that the server will save.

I know that checking the file extension will be insufficient. MIME type checking is better, but it can still be faked. So, how do I check if a video file is?

+4
source share
4 answers

Play it!

The only way to make sure that you have a code that decodes the video of the type in question is to look at it (and check there are reasonable results, for example, non-zero duration).

Otherwise, your risks are low:

Non-malicious scenario:

  • Uploader downloads video with video / * content.
  • You save the octets and content type.
  • Downloader downloads the video, and you use the type of content that you received.
  • Downloader watches a video (or grumbles about codecs, etc.).

Malicious scenario 1:

  • Uploader downloads an unpleasant trojan with video / * content.
  • You save the octets and content type.
  • Downloader downloads nasty trojan and you are using the type of content you received.
  • Downloader opens a nasty trojan in a video player. Nasty trojan does nothing because this is not a video. The user grumbles about codecs. Worse, the script, they write rant on the ubuntu forums about the lack of support for proprietary formats, add unwritten comments on your page about how the site sucks because the video does not work, etc.

Malicious scenario 2:

  • Uploader downloads an unpleasant trojan that is recorded in a video that uses some buffer overflow problem with a popular video player.
  • You save ...
  • Downloader ...
  • It can be like one of the above, but it can also be that they fall under the exploit (if they use an infected player).

Three notes about scenario 2:

  • Testing this video does not guarantee security, as it may work well in some players.
  • Testing this video may make your server vulnerable to exploit if the vulnerability is in ffmpeg!
  • Operations of this type are both rare and difficult. The overall risk is the same as downloading and downloading jpeg or png. In fact, this is a bit smaller (there was actually an exploit of this type, affecting the frequently used jpeg libraries for a while).

In general, just make sure that you only output with the types of content you accept and force the addition of file extensions; if the user is downloading a video / mpeg called hahaha.exe, then rename it hahaha.mpg

Edit: Oh, also:

Malicious scenario 3:

Uploader uploads a video that some players use in a way that uses a lot of resources. In this case, the bootloader will just kill-9 / ctrl-alt-delete / your-OSs-kill-them-all-of-choice, but if your server is testing this video, then this may end in troubles, since no one there step in and kill 200 (and grows when the script -kiddies script continues to load more) "videos" that it is trying to interpret.

Just doing the usual video processing may be enough to present DoS to you (video processing is relatively difficult in the end), so testing the file can lead to greater dangers, which will save you from.

+9
source

Users can safely download everything while it goes to the right directory, and nothing on the server tries to start it (and if it should be a video, nothing will try). A malicious program cannot do anything if the victim somehow activates it.

+2
source

You can call ffmpeg via php extension:

https://github.com/char0n/ffmpeg-php/

which essentially completes the output of ffmpeg , which you can then check in php. However, first you should first ffmpeg , which in itself is a solid topic. If you do not want to use the library, you can execute ffmpeg yourself through exec .

Also, I would look at the mimetype type. You can also check the file on the client side in the input file via JS (not in all browsers, and this replacement is not for true verification).

L.G.,

Flo

+2
source

I agree that if video games do not have a problem that can be used through some damaged video files, I will not worry. But say that it was not necessary for security reasons to check if you have a video file, and all this is valid, you can follow these steps.

  • Run ffprobe in the file with no arguments. It will provide some information about the file. Codecs, containers, duration, frame rate, bit rate.
  • Now run ffprobe with -show_packets. It should produce frame-by-frame file information. You should get as many video frames as the length * frame_rate specified by the first command. This can be checked, because someone can simply give the processed title or the initial section of the file, there may be a valid video (ffmpeg and ffprobe will only check the first few seconds of the video to check its type), the rest may be damaged.
  • Run ffprobe with -show_frames. This will try and decrypt the headers of each frame to ensure that each of them is a valid video frame. This is an additional step because some container has a table that can be used for show_packets. Consequently, ffprobe could simply read that the table and the data it points to could be corrupted.

Now it is theoretically possible that the file has all the valid headers for each frame, but the data is incorrect, but without decoding the actual content and viewing it on the player, this is the best you can do afaik. And I would say that it is good enough, and it is very fast.

0
source

More articles:


All Articles