Geek Answers Handbook

How to make sure that they download certain files

Well, I allow (within the script) to download certain types of files using the Forum Admin Defined approach! How can I find out if these files match the type set by the administrator to make sure they are not fake files. I am currently using a mime type approach, but different browsers can set different mime types, so this does not help much. Checking the file extension also does not help, because people can get around this by providing it with an extension that is allowed but will have a different file type.

Perhaps there is a link to a way to check for bytes in different files of different types to make sure that it is of the correct type? Perhaps this can also be tampered with, but at least it would be a little more accurate when using the form to upload files and submit them.

Can someone please help me with ideas about this?

Thanks:)

+7
source share
2 answers

PECL fileinfo (or built-in> 5.3) will check byte signatures of files to guess their types, so it protects people by simply changing the file extension. In some cases, it is still possible to include malicious bytes in a file corresponding to the corresponding byte signature for the file type.

From the PHP docs:

 // Procedural style $finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension echo finfo_file($finfo, $filename); finfo_close($finfo); // OO style $finfo = new finfo(FILEINFO_MIME_TYPE); echo $finfo->file($filename); $finfo->close();

On a Unix server, I believe finfo_file() treats the same byte database as a GNU file utility.

+3
source

Never trust user input. Checking for a specific type of file / mimetype should never be used as a way to prevent users from downloading malicious content to your server. If the goal is server security, then simply do not allow content on the server if it is uploaded by the user. For files uploaded by other people, be sure to indicate that the content was created by the user and is not guaranteed to be error-free.

0
source

More articles:


All Articles