Best IT Recipes

PHP file upload: mime confirmation or extension?

When I try to process a file upload, should I run a check based on the MIME file type or file extension?

What are the pros and cons of these two ways to check files?

And, Any other security issues I should worry about?

These days I relied on the MIME type, but the answer with the most votes in this post

Problems uploading files in PHP :

Never rely on the MIME type sent by the browser!

+11
php file-upload
Sep 08 2018-11-11T00:
source share
4 answers

Well, that's why there was something telling all the geniuses about "SCREW EXTENSIONS, CHECK MIME! FILEINFO RLZ!", I prepared several lessons:

  • Download the cute php logo that I drew
  • Take a look. Pretty nice, isn't it?
  • Rename it to what_you_like.php
  • Put it through all your awesome mime type / any checkers
  • Run it

In conclusion, you should NEVER NEVER rely on the MIME type. Your web server does not care about the MIME type, it determines what to do with EXTENSION , ultimately downvoted @Col. The answer to shrapnel is actually right. Any information provided to you by something that checks MIME is completely irrelevant to your web server when it comes to execution.

EDIT: a not-as-unusual code-as-you-want-it-to be that opens a site for this type of attack:

<?php $mimetype = mime_content_type($_FILES['file']['tmp_name']); if(in_array($mimetype, array('image/jpeg', 'image/gif', 'image/png'))) { move_uploaded_file($_FILES['file']['tmp_name'], '/whatever/something/imagedir/' . $_FILES['file']['name']); echo 'OK'; } else { echo 'Upload a real image, jerk!'; }
+22
Sep 08 2018-11-11T00:
source share

No to accurately determine the type of file. Reasons - * Extension - the user can easily change the extension by simply renaming the file. * Type Mime. To change the mime type, some add-on / extension can do this because it comes from the client side (therefore, it can be changed before sending to the server), not generated by the server.

Now for verification, the answer to the question depends on why you want to check the file type.

In most cases, we need to make sure that the downloaded file should not be executed. For this reason, you must be sure how your server processes / executes files. - If your server is checking extensions for verification, you also need to verify that you are not storing a file with an extension that can be executed. - If your server uses mime types, beware of the fact that the mime type sent by the client and the mime type used by the server for the same file may be different. So use the same logic as your server to find out the mime type.

+1
Sep 08 '11 at 17:38
source share

Mime-type is not a reliable source because it sends from the browser (anyone can also create an HTTP request manually). PHP does not check the equivalence of the extension and the type of mine (http://ru.php.net/manual/en/features.file-upload.post-method.php). You can specify an HTTP request with the file name image.php and mime-type "image / gif".

Always use the extension check if you want to save the downloaded file to your hard drive and provide public access to this file later.

0
Sep 08 2018-11-11T00:
source share

To determine exactly what was downloaded, you do not check the file extension or mime type sent by the browser .

In * nix environment, you have a utility for checking the mime type of a given file, usually located in the magic.mime file (/usr/share/magic.mime or something similar, depending on your installation).

Copy / paste from magic.mime to see how this works in a nutshell:

 # Magic data for KMimeMagic (originally for file(1) command) # # Note on adding additional MIME types: # # [RFC2045,RFC2046] specifies that Content Types, Content Subtypes, Character # Sets, Access Types, and conversion values for MIME mail will be assigned and # listed by the IANA. # http://www.iana.org/assignments/media-types/ # # Any unregistered file type should be listed with a preceding x-, as in # application/x-foo (RFC2045 5.1), or a x., as in application/x.foo (RFC4288 # 4.3). Any non x-prefixed type should be registered with IANA and listed at # the above address. Any other behavior is a MIME standards violation! # # It is preferred that when a registered MIME type exists, that # the registered Content-Type and Subtype be used to refer to a file of # that type, so don't use application/x-zip when application/zip is # registered. # # If an active RFC suggests that a MIME registration for a new type is in # progress, make a note of it pointing to that RFC. # # The format is 4-5 columns: # Column #1: byte number to begin checking from, ">" indicates continuation # Column #2: type of data to match # Column #3: contents of data to match # Column #4: MIME type of result # Column #5: MIME encoding of result (optional)

I will link you with a link that will help you with further implementation in PHP (literally 2 lines of code as soon as you finish).

If you can’t get it to work after all this, write in the comments here and I will provide the full code necessary for the safe detection of the downloaded.

Fileinfo

0
Sep 08 2018-11-11T00:
source share


More articles:


All Articles