ansaurus

Question

Answer 1

+3 A:

Forget checking the mime type. Use getimagesize() instead.

Pekka 2010-03-18 23:09:41

Yes this it will work too, Thanks Pekka.

2010-03-18 23:12:46

@silversky you're welcome. This will actually work way better, because it can't be forged by the user as the uploaded MIME type can - getimagesize() actually parses the uploaded file's header. Plus, you will always get reliable results. But then, of course, it will only work for images.

Pekka 2010-03-18 23:17:42

not, still exactly what I'm looking. Because for example getimagesize('file.jpg%')[2] will still fire - 2 - wich of course is true BUT latter the browser will not be able to read the image.

2010-03-19 00:04:39

Ahh @silversky now I see. I misread you there, I apologize. One solution might be sending along the correct `content-type` header when serving the file, but I don't know whether that is usable in your situation.

Pekka 2010-03-19 00:06:50

probablly I could also add an regex to take the last 4 char and check as a string with jpeg, gif .... But i think I spent already to much time with this issue. i don't think that, anyone has time to add char's at the end of an image 'just for fun' and probablly this issue it's not a good solution for a hacker to cover something

2010-03-19 00:18:07

@silversky I think it's an issue worth looking at. Imagine somebody uploading a EXE file that way that then ends up as a download when people visit the site. I would check the extension using Pathinfo http://de.php.net/pathinfo.

Pekka 2010-03-19 00:21:31

But an EXE, will be able to pass as MIME type image ?

2010-03-19 00:34:13

it's worth mentioning that with $_FILES['type'], FF and Chrome will not validate an image.jpgw or image image.jpg% ........ as a image type

2010-03-19 00:37:12

@silversky an attacker can fake the incoming MIME type, which is why it's deemed unreliable.

Pekka 2010-03-19 00:49:05

so should I use a regex to check the last 4 char or is any other better solution?

2010-03-19 01:04:47

@silversky best use `pathinfo` that I linked to above.

Pekka 2010-03-19 01:19:03

yes pathinfo('fileName')['extension'] and in_array($ext, $accepted) will do the trick.do you think it is safe enough to check only the extention or is better for any case, to still check the type also ?

2010-03-19 03:00:38

@silversky that depends on what you're going to do with the image. If you are going to serve it back to people, checking the type is certainly a good idea.

Pekka 2010-03-19 11:19:32

@Pekka Thank you very much for your help and sugestions (I'll probably check for type also)

2010-03-20 02:50:30

Answer 2

A:

For performance reasons your webserver doesn't usually inspect the file for it's mimetype, it usually only uses the extension.

Therefore on upload you need to read the mimetype and then save the file with an extension appropriate for the mimetype if you wish the webserver to directly serve the file. The alternative is to use a download wrapper that reads the mimetype from the file and passes it onto the client.

Basic example,

/* verify and sanitize any file extension from mimetype
 */
    switch($subtype) {
    case 'pjpeg':
    case 'jpeg':
        if (!preg_match('/\.jp(e)?g$/i', $real_name)) {
            $real_name .= '.jpg';
        }
        break;

    default:
        if (!preg_match('/\.'.$subtype.'$/i', $real_name)) {
            $real_name .= ".$subtype";
        }
        break;
    }

Steve-o 2010-03-19 06:44:00

If I understand right your suggestion is to extract the extention with regex but I think it's faster and cleaner to use pathinfo () build in fn.

2010-03-20 02:53:37

ansaurus

tags:

views:

answers:

even PHP has 'bugs' with IE

related questions