views:

1144

answers:

9

I've got a Mac server and I'm building PHP code to allow users to upload images, documents, and even video files. Researching this has definitely gotten me nervous, I want the uploaded content to be virus free.

Is building something myself going to be a huge challenge? Would you do it, or would you find some OS or OTS product? (And do you know of any you can recommend)?

+19  A: 

Conceptually, what you're talking about is pretty straightforward. Accepting and processing uploads is pretty simple, it's definitely not something I think you need to worry about buying a pre-built solution for.

Generally things like images and videos can't really have "viruses" (unless the viewer application is really poor and lets them run code somehow - also known as "Internet Explorer"), but it's not really difficult to virus-scan them anyway if you'd like to. Just find a command-line scanner that can run on the server (something like Clam AV), and whenever a file is uploaded, run it through the scanner and reject the upload (and log the event) if it fails the scan.

Chad Birch
My +1 for the IE remark, made me laugh -)
Ilya Birman
A: 

Here’s code to process the uploaded files, just so you get the idea:

foreach ($_FILES as $file) {
  if (!$file['error']) {
    move_uploaded_file ($file['tmp_name'], 'uploads/'. $file['name']);
  } elseif (4 != $file['error']) {
    $error_is = $file['error'];
    // do something with the error :-)
  }
}

header ('Location: ...'); // go to the updated page, like, with the new files
die;
Ilya Birman
+4  A: 

If you're uploading very large files, you might also consider a Flash upload/status bar so that users can see how much of the file is uploaded. SWFUpload is a good choice for that.

You can scan files with ClamAV by doing something like this in PHP:


$out = '';
$int = -1;
exec('/usr/local/bin/clamscan --stdout /path/to/file.ext', $out, $int);

if ($int == 0)
{
  print('No virus!');
}

/*
Return codes from clamscan:
 0 : No virus found.

       1 : Virus(es) found.

       40: Unknown option passed.

       50: Database initialization error.

       52: Not supported file type.

       53: Can't open directory.

       54: Can't open file. (ofm)

       55: Error reading file. (ofm)

       56: Can't stat input file / directory.

       57: Can't get absolute path name of current working directory.

       58: I/O error, please check your file system.

       59: Can't get information about current user from /etc/passwd.

       60: Can't get information about user '' from /etc/passwd.

       61: Can't fork.

       62: Can't initialize logger.

       63: Can't create temporary files/directories (check permissions).

       64: Can't write to temporary directory (please specify another one).

       70: Can't allocate memory (calloc).

       71: Can't allocate memory (malloc).

*/

Keith Palmer
This is really great, thanks!
lynn
+1 This was incredibly helpful. Cheers :)
da5id
+3  A: 

The short answer: Don't buy anything. The experience and sense of accomplishment you will gain from coding this yourself is far more worth it.

The long answer: Trusting any form of user input is generally a bad idea. However, being sensible about what you do with user data is always the best way to go. If you don't do foolish things*, you'll be fine, and you'll gain tremendously from the experience.



( * I know that's a little ambiguous, but hey, try identifying a mistake before you've made it. I know I rarely can. ;)

abrahamvegh
+1  A: 

I'm building sort of the same right now using FancyUpload from digitarald for Mootools 1.2.1

check this example: http://localhost/fancyupload/showcase/photoqueue/ to see how cool that is.

Just make sure you read up on how to pass a session to Flash (using GET / POST parameters!! Your session cookies will not work. ) and do some checks on the filetype.

Personally, i'd not let my users upload video's. Just use youtube and embed that stuff.

Oh yeah, and if you want to have thumbnails of thet stuff that's uploaded, go for ImageMagick installed on your server along with Ghostscript. Imagemagick can then even generate thumbnails from PDF's!

SchizoDuckie
A: 

You're better off using a third-party virus scanner to make sure the uploads are virus-free. (Writing your own code to check for virus sounds like a daunting task)

Examples: Gmail I think is using Norton, while Yahoo!Mail I think is using McAfee.

ksuralta
A: 

Hi,

I'am getting code 56 when using Keith Palmer script. Anybody know why?

A: 

Keith Palmer suggestes small script.

Use clamdscan instead of clamscan. clamdscan communicates with setup clamd (clamav daemon), while clamscan is a standalone application so virus signatures are loaded EACH TIME you call it, this could be generate quite a big load on your server.

Besides you could also try clamuko (this gives you on-access scanning), so you could just drop files into dir observed by clamuko.

There is also FUSE-based ClamFS which could probably be better solution, if you can't insert modules into the kernel.

GiM
+1  A: 

"Is building something myself going to be a huge challenge?" Yes, it is. Not as huge as to outsource it to a third party solution, but what you want to code here is possibly the most dangerous thing that you can get to code on a php web script: allowing users to upload files to your server. You need to be extremelly careful to filter the files you are going to accept to prevent users from uploading php scripts to your server. Common mistakes that people do while filtering are:

  1. Not filter at all.
  2. Filter based on incorrect regular expressions easily bypassables.
  3. Not using is_uploaded_file and move_uploaded_file functions can get to LFI vulnerabilities.
  4. Not using the $_FILES array (using global variables instead) can get to RFI vulns.
  5. Filter based on the type from the $_FILES array, fakeable as it comes from the browswer.
  6. Filter based on server side checked mime-type, fooled by simulating what the magic files contain (i.e. a file with this content GIF8 is identified as an image/gif file but perfectly executed as a php script)
  7. Use blacklisting of dangerous files or extensions as opposed to whitelisting of those that are explicitely allowed.
  8. Incorrect apache settings that allow to upload an .htaccess files that redefines php executable extensions (i.e. txt)..

I could go on, but I think you were already scared before asking :)

As per the viruses thing, yeah, just run an AV.

palako