upload file using php copy command

Question

I have one public website where users have option to upload pdf file and read that pdf when they need.

I use php command

$error = copy($tmp_name, $fpath);

to save file to server....

the issue I am facing is

1. any one can upload any type (.exe, bat) of file but I only need pdf?

2. when try to browse pdf file, if some one change its (.exe, .bat) file extension to .pdf how to reduce risk of that script execute on server?

i am trying hard to solve this issue from last few days but no success...

Thanks

Answer 1

use fileinfo to get the mimetype (+ whatever else you need) to check if it's a pdf.

EDIT: an easier alternative would be to use mine_content_type(), but thats deprecated since php5.

PS: the pdf-mimetype should be application/pdf

Answer 2

1) To solve this you will need logic on your end to examine the file, e.g. using the Fileinfo module to figure out the file's MIME type. Also make sure to always save the files with a .pdf file extension and block everything with the wrong extension (to shield your users from downloading anything executable). This will not be 100% secure though. If you want to completely protect yourself from viruses you will need an anti-virus program installed on the server and check all uploaded files.

2) This is easier. Just disable all script execution for your upload folder in your web server config. This will differ depending on the web server.

---

Oh, and if your web server allows config files in directories, like Apache's .htaccess, make sure the filename is NOT .htaccess or any other magical filename..

Answer 3

Just replace the file extension with .pdf in the filename, if it was already pdf, nothing changes, and if it was .exe or whatever else, it gets corrected.

Answer 4

Don't use copy(), use move_uploaded_file() to fetch uploaded files. Using copy() is subject so some serious security vulnerabilities.

how to reduce risk of that script execute on server?

That's easy: Just don't put it anywhere where it an be executed :) Seriously, you can store the most evil viruses on your server - as long as they're in a directory in which they can't be run, you have no problem.

The real problem is what happens when people download the file. You can use fileinfo as outlined in other answers to find out whether it's a PDF. For anything beyond that - e.g. checking for malicious hacks inside the PDF file, of which there are some - you'd have to install a server-side virus scanner.

Other than that, it'll be the user's responsibility to have a virus scanner running. There is no 100% security here. Total security might come from opening and re-saving each PDF document using a native PDF library, but I don't know whether there are any PHP libraries that can do that well.

Answer 5

You could validate the PDF with a tool like tool.pdf.Validate but with the many different versions of PDF you run the risk of false negatives, especially with newer software packages.

Answer 6

There is a very good write-up on the subject of file uploads by bobince in another question. His answer brought some issues on the table I didn´t even think about before. It´s really worth reading.

And as Pekka already said, dont just use copy(), use the move_uploaded_file() function which exists for moving uploaded files from the tmp directory.