[Owasp-boston] Checking file types on upload

Javed Ikbal javed at zsquad.com
Thu Nov 12 09:57:18 EST 2009


The most common (and error-prone) method is to use the $_FILES array.
The browser supplies this information to the server, and IE is notorious
for using the extension to tell the server what the filetype is.

As it uses the filename extension, it is easy to fool (or make the mistake)

With PHP 5.3 or above, you can use fileinfo

http://www.php.net/manual/en/function.finfo-file.php

For older versions, fileinfo is a loadable module.

I guess you can run grep in the upload dirs to catch misnamed php files
that have already been upload, something like:

grep -R "<?" *.jpg *.gif *.png

Regards

Javed

Laverty, Patrick wrote:
> Sorry for all the questions lately, but I'm wondering if someone has
> come up with a reliable way to check actual file types when they get
> uploaded to a server, preferably with PHP.  We've had some issues where
> people uploaded php files with a .jpg or .gif extension, so they slipped
> by for a while.
>
> We are turning off php in upload directories, among other security
> steps, but I just wanted to see if I could do more than just checking
> the file extension.  Looking for that extra layer of security.
>
> Thanks!
>
> Patrick Laverty
> Brown University
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-boston
>   



More information about the Owasp-boston mailing list