Geek Answers Handbook

Reliability Mimetypes in Uploads (PHP)

I had this question for a while: how exactly is the type of mime file determined? I believe this is done by checking if the specific bytes of the file contain any known magic numbers / file signatures , right?

If so, another question arises: let's say I upload a bash script fake GIF file signature to a website that allows you to upload images, what will happen? Or:

  • a mimetype type discovery procedure is smart enough to detect fake signatures or
  • image/gif erroneously returns as a mimetype type, and loading is allowed to continue.

I don’t have an ATM HEX editor installed and I don’t like drawing safety-related conclusions from tests, because I can skip (or misinterpret) something, so my question is: which of the above options is correct?

Also, are there any other recommendations (besides checking the mimetype type) to ensure that any given file is actually what it seems / needs (or is allowed)? Thanks in advance.

PS: To be clear, I am not asking about the type index in the $_FILES .

+7
source share
3 answers

I understand that the procedures for determining MIME in the file upload code are extremely rude and that the MIME type in the $ _FILES array simply cannot be trusted. It was my experience that he was easily foxed.

You are better off using the Fileinfo library, which provides more reliable file type detection.

http://www.php.net/manual/en/ref.fileinfo.php

+6
source

If you are talking about $_FILES['userfile']['type'] , this information is sent by the browser. It may or may not be present, and even if its present, you should relate to it just like any other user input.

If you are interested in checking images, you can use the getimagesize function to determine the type of file. This function returns NULL for images that it cannot understand. Even if it returns a valid image type, you can still reject the file, for example. if you expect GIF and JPEG, and instead you get TIFF.

In addition, the web server will determine whether to execute a file that does not depend on file permissions (the execution bit and the shebang line) and the file extension. If you keep a check on these two, you're probably fine.

+2
source

I understand that this (vulnerable MIME types) is the reason that the file name must be encrypted using various means when they are downloaded, and then stored in a database that will be retrieved via ID numbers. Basically, someone will be able to download a malicious script, can they never find it to run?

-one
source

More articles:


All Articles