Topic awaiting preservation: file updload mime types (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=27537" title="Pages that link to Topic awaiting preservation: file updload mime types (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: file updload mime types <span class="small">(Page 1 of 1)</span>\$

redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 02-20-2006 17:47 I've got a php upload script I've created and I want to restrict all file types except for pdf, gif and jpg. I've been reading up on mime types but it seems that it is totally browser dependant (like AOL doesn't send proper mime types ect.). How do I go about this properly?
justin Nervous Wreck (II) Inmate From: Stockholm, Sweden Insane since: Jan 2006	posted 02-20-2006 18:37 I'm using this following code. As far as I know it works well on both PC and Mac. IE and FF and all the rest. code: $FILE_MIMES = array('image/jpeg','image/jpg','image/gif','image/png'); $FILE_EXTS = array('.jpeg','.jpg','.png','.gif'); if (!in_array($file_type, $FILE_MIMES) && !in_array($file_ext, $FILE_EXTS) ) echo = "Sorry, $file_name($file_type) was not allowed to be uploaded."; Not sure if "functional" code is enough for you since you asked for "proper"...
butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 02-20-2006 18:37 You can do an eregi on the file name. Something like: code: if (!eregi('.pdf', $filename) \|\| !eregi('.gif', $filename) \|\| !eregi('.jpe?g', $filename)) { //put code to refuse the upload here } else { //handle the upload here } That's off the top of my head so it may need a little tweaking. - Butcher -
GRUMBLE Paranoid (IV) Mad Scientist From: Omicron Persei 8 Insane since: Oct 2000	posted 02-20-2006 18:48 you get the browser's mime type from $type = $_FILES["yourfilename"]["type"]; so, just run a test on your AOL and upload pdf,gif,jpg and you will know what AOL sends.
divinechaos Nervous Wreck (II) Inmate From: Insane since: Dec 2001	posted 02-21-2006 07:22 MIME Filetype is a lot harder to spoof than extensions, so it's best imo to use both. Just remember that IE uploads jpeg as "image/pjpeg", just to make life hard. For additional examples of file handling, check out the PHP manual. http://ca3.php.net/features.file-upload Regards, DC
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 02-21-2006 08:48 You don't listen to the mime types the client sends. They can not be trusted - and as you pointed out, whatever the browser's send, it might as well be random junk. And divinechaoes, I'll spoof the mime type any day... it's just another browser header and complety under your control if you're using anything but a browser to do your HTTP Requests. Heck I could spoof a mime-type header with a simple telnet client... All three of gif, jpeg and pdf can be detected by checking the first few bytes of the uploaded file, and that's usually what want you to do. (Gif files should start with "GIF87a" or "GIF89a"... use google for the rest of them.) so long, ->Tyberius Prime
divinechaos Nervous Wreck (II) Inmate From: Insane since: Dec 2001	posted 02-22-2006 03:50 I said it was harder, TP, not that it wasn't possible. I agree it wouldn't be hard to spoof the mime-type (writing raw http headers is not rocket science), but it's of a completely different degree from changing the file extension. =) But you're right, the best defense is to check the file itself. Regards, DC
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 02-22-2006 08:32 well... betting that an attacker ist stupid is a sure way to loose money.
DmS Maniac (V) Inmate From: Sthlm, Sweden Insane since: Oct 2000	posted 02-22-2006 08:57 quote: well... betting that an attacker isn't stupid is a sure way to loose money. LOL that's so very very true! Actually for an attacker to go one step further and fake the actual imagefile itself based on how it's supposed to start is not hard at all. I've seen a couple of different "creative" ways of this. To be even more safe than suggested above you should go further and check the complete content of the file for absence of malicious code such as VBScript, javascript and other interesting things. Still, for every defensive measure we can take we can be quite sure that the evil ones knows of a way or two that we havn't thought of. Ever heard of "The never ending battle between good and evil " /D {cell 260} {Blog} -{"Theories without facts are just religions...?}-

Topic awaiting preservation: file updload mime types (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=27537" title="Pages that link to Topic awaiting preservation: file updload mime types (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: file updload mime types <span class="small">(Page 1 of 1)</span>\$

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 02-20-2006 17:47

I've got a php upload script I've created and I want to restrict all file types except for pdf, gif and jpg. I've been reading up on mime types but it seems that it is totally browser dependant (like AOL doesn't send proper mime types ect.). How do I go about this properly?

justin
Nervous Wreck (II) Inmate

From: Stockholm, Sweden
Insane since: Jan 2006

posted 02-20-2006 18:37

I'm using this following code. As far as I know it works well on both PC and Mac. IE and FF and all the rest.

code:

$FILE_MIMES = array('image/jpeg','image/jpg','image/gif','image/png');
$FILE_EXTS  = array('.jpeg','.jpg','.png','.gif');

if (!in_array($file_type, $FILE_MIMES) && !in_array($file_ext, $FILE_EXTS) ) echo  = "Sorry, $file_name($file_type) was not allowed to be uploaded.";

Not sure if "functional" code is enough for you since you asked for "proper"...

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 02-20-2006 18:37

You can do an eregi on the file name. Something like:

code:

if (!eregi('.pdf', $filename) || !eregi('.gif', $filename) || !eregi('.jpe?g', $filename))
{
  //put code to refuse the upload here
}
else
{
  //handle the upload here
}

That's off the top of my head so it may need a little tweaking.

- Butcher -

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted 02-20-2006 18:48

you get the browser's mime type from

$type = $_FILES["yourfilename"]["type"];

so, just run a test on your AOL and upload pdf,gif,jpg and you will know what AOL sends.

divinechaos
Nervous Wreck (II) Inmate

From:
Insane since: Dec 2001

posted 02-21-2006 07:22

MIME Filetype is a lot harder to spoof than extensions, so it's best imo to use both.

Just remember that IE uploads jpeg as "image/pjpeg", just to make life hard.

For additional examples of file handling, check out the PHP manual.
http://ca3.php.net/features.file-upload

Regards,
DC

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 02-21-2006 08:48

You don't listen to the mime types the client sends.
They can not be trusted - and as you pointed out, whatever the browser's send, it might as well be random junk.

And divinechaoes, I'll spoof the mime type any day... it's just another browser header
and complety under your control if you're using anything but a browser to do your
HTTP Requests. Heck I could spoof a mime-type header with a simple telnet client...

All three of gif, jpeg and pdf can be detected by checking the first few bytes of the uploaded file,
and that's usually what want you to do.

(Gif files should start with "GIF87a" or "GIF89a"... use google for the rest of them.)

so long,

->Tyberius Prime

divinechaos
Nervous Wreck (II) Inmate

From:
Insane since: Dec 2001

posted 02-22-2006 03:50

I said it was harder, TP, not that it wasn't possible. I agree it wouldn't be hard to spoof the mime-type (writing raw http headers is not rocket science), but it's of a completely different degree from changing the file extension. =)

But you're right, the best defense is to check the file itself.

Regards,
DC

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 02-22-2006 08:32

well... betting that an attacker ist stupid is a sure way to loose money.

DmS
Maniac (V) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted 02-22-2006 08:57

quote:
well... betting that an attacker isn't stupid is a sure way to loose money.

LOL that's so very very true!
Actually for an attacker to go one step further and fake the actual imagefile itself based on how it's supposed to start is not hard at all. I've seen a couple of different "creative" ways of this.

To be even more safe than suggested above you should go further and check the complete content of the file for absence of malicious code such as VBScript, javascript and other interesting things. Still, for every defensive measure we can take we can be quite sure that the evil ones knows of a way or two that we havn't thought of.

Ever heard of "The never ending battle between good and evil "
/D

{cell 260} {Blog}
-{"Theories without facts are just religions...?}-