Topic awaiting preservation: file updload mime types

I've got a php upload script I've created and I want to restrict all file types except for pdf, gif and jpg. I've been reading up on mime types but it seems that it is totally browser dependant (like AOL doesn't send proper mime types ect.). How do I go about this properly?

I'm using this following code. As far as I know it works well on both PC and Mac. IE and FF and all the rest.

$FILE_MIMES = array('image/jpeg','image/jpg','image/gif','image/png');
$FILE_EXTS  = array('.jpeg','.jpg','.png','.gif');

if (!in_array($file_type, $FILE_MIMES) && !in_array($file_ext, $FILE_EXTS) ) echo  = "Sorry, $file_name($file_type) was not allowed to be uploaded.";

Not sure if "functional" code is enough for you since you asked for "proper"...

You can do an eregi on the file name. Something like:

if (!eregi('.pdf', $filename) || !eregi('.gif', $filename) || !eregi('.jpe?g', $filename))
{
  //put code to refuse the upload here
}
else
{
  //handle the upload here
}

That's off the top of my head so it may need a little tweaking.

- Butcher -

you get the browser's mime type from

$type = $_FILES["yourfilename"]["type"];

so, just run a test on your AOL and upload pdf,gif,jpg and you will know what AOL sends.

MIME Filetype is a lot harder to spoof than extensions, so it's best imo to use both.

Just remember that IE uploads jpeg as "image/pjpeg", just to make life hard.

For additional examples of file handling, check out the PHP manual.
http://ca3.php.net/features.file-upload

Regards,
DC

You don't listen to the mime types the client sends.
They can not be trusted - and as you pointed out, whatever the browser's send, it might as well be random junk.

And divinechaoes, I'll spoof the mime type any day... it's just another browser header
and complety under your control if you're using anything but a browser to do your
HTTP Requests. Heck I could spoof a mime-type header with a simple telnet client...


All three of gif, jpeg and pdf can be detected by checking the first few bytes of the uploaded file,
and that's usually what want you to do.

(Gif files should start with "GIF87a" or "GIF89a"... use google for the rest of them.)

so long,

->Tyberius Prime

I said it was harder, TP, not that it wasn't possible. I agree it wouldn't be hard to spoof the mime-type (writing raw http headers is not rocket science), but it's of a completely different degree from changing the file extension. =)

But you're right, the best defense is to check the file itself.

Regards,
DC

well... betting that an attacker ist stupid is a sure way to loose money.

quote:

---

well... betting that an attacker isn't stupid is a sure way to loose money.

---

LOL that's so very very true!
Actually for an attacker to go one step further and fake the actual imagefile itself based on how it's supposed to start is not hard at all. I've seen a couple of different "creative" ways of this.

To be even more safe than suggested above you should go further and check the complete content of the file for absence of malicious code such as VBScript, javascript and other interesting things. Still, for every defensive measure we can take we can be quite sure that the evil ones knows of a way or two that we havn't thought of.

Ever heard of "The never ending battle between good and evil "
/D

{cell 260} {Blog}
-{"Theories without facts are just religions...?}-