uploading

Started by Parham, September 05, 2003, 01:01:47 PM

Previous topic - Next topic

Parham

I'm about to take a big step and make a feature for my website that allows uploading of files.  My question is this:  is there ANY conceivable way there could be security problems if i only allow people to upload gifs/jpegs/pngs??

[Unknown]

No, not gifs... etc... but make sure they don't upload... oh, say LPT1 or COM or CON, etc.

-[Unknown]

Haase

Parham, you should cruise on over to http://pfabb.lunabyte.com.  Somewhere there is an uploader mod that works pretty well.  You can probably at least use that code for sample while you work.
Find out about Enigma, the portal built exclusively for YaBB SE will be continuing it's work towards SMF

Chris Cromer

Make sure the filename doesn't contain ".." or slashes.

For instance if they uploaded the filename "../file.gif" it would upload it up one directory... so it would be possible for them to upload it ANYWHERE on the site if .. was allowed in the filename.

And slashes are dangerous too because they can symbolize directories so make sure those arn't in the file name.

You should also check both the mime type of the file as well as the extension to make sure they don't upload some file that isn't a image. For instance I could upload a javascript file and name it .gif and it would execute the javascript. So check the mime type to make sure it really is an image... because extensions lie. ;)
Chris Cromer

"I was here, here I was, was I here, sure I was" - The little voice in my head.

Iridium

So do mime types, since they too are determined by the client. It's probably safer to check extensions, since they are used by the server when deciding the content type of the file when it's served (and it's then that the type is important, since a file sent as "image/gif" should be interpreted as such, whether it's actually html, executable or whatever.

Chris Cromer

As I said, check both. ;)
Chris Cromer

"I was here, here I was, was I here, sure I was" - The little voice in my head.

Parham

i was going to match the mime type agains this array:


$imgarray = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/x-png");


does anyone have a regex though that will check the file form coming in?  or something that will check all the information coming out of $_FILE['file'] (there is only one file coming in at a time)?

[Unknown]

      // Remove special accented characters - ie. sí.
      $_FILES['attachment']['name'] = strtr($_FILES['attachment']['name'], 'ŠŽšžŸÀÁÂÃÄÅÇÈÉÊËÌÍÎÏÑÒÓÔÕÖØÙÚÛÜÝàáâãäåçèéêëìíîïñòóôõöøùúûüýÿ', 'ZszYAAAAAACEEEEIIIINOOOOOOUUUUYaaaaaaceeeeiiiinoooooouuuuyy');
      $_FILES['attachment']['name'] = strtr($_FILES['attachment']['name'], array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));
      // Sorry, no spaces, dots, or anything else but letters allowed.
      $_FILES['attachment']['name'] = preg_replace(array('/\s/', '/\.[\.]+/', '/[^\w_\.\-]/'), array('_', '.', ''), $_FILES['attachment']['name']);

      // Make sure they aren't trying to upload a nasty file.
      $disabledFiles = array('CON', 'COM1', 'COM2', 'COM3', 'COM4', 'PRN', 'AUX', 'LPT1');
      if (in_array(strtoupper(substr(strrchr($_FILES['attachment']['name'], '.'), 1)), $disabledFiles))
         die;

-[Unknown]

CapriSkye

Quote from: [Unknown] on September 06, 2003, 03:23:05 PM
      // Remove special accented characters - ie. sí.
      $_FILES['attachment']['name'] = strtr($_FILES['attachment']['name'], 'ŠŽšžŸÀÁÂÃÄÅÇÈÉÊËÌÍÎÏÑÒÓÔÕÖØÙÚÛÜÝàáâãäåçèéêëìíîïñòóôõöøùúûüýÿ', 'ZszYAAAAAACEEEEIIIINOOOOOOUUUUYaaaaaaceeeeiiiinoooooouuuuyy');
      $_FILES['attachment']['name'] = strtr($_FILES['attachment']['name'], array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));
      // Sorry, no spaces, dots, or anything else but letters allowed.
      $_FILES['attachment']['name'] = preg_replace(array('/\s/', '/\.[\.]+/', '/[^\w_\.\-]/'), array('_', '.', ''), $_FILES['attachment']['name']);

      // Make sure they aren't trying to upload a nasty file.
      $disabledFiles = array('CON', 'COM1', 'COM2', 'COM3', 'COM4', 'PRN', 'AUX', 'LPT1');
      if (in_array(strtoupper(substr(strrchr($_FILES['attachment']['name'], '.'), 1)), $disabledFiles))
         die;

-[Unknown]


one of the user on my forum asked me to remove those lines by putting // in front of them, which will then allow chinese characters for filenames. what im wondering is if it will cause security problems?
thanks

[Unknown]

Actually, depending on your server, it could cause problems.  The next release (1.0 RC2) should properly handle internationalized filenames, as long as "encrypted filenames" is on.

Don't remove the part with CON, COM1, etc... that part is important.

-[Unknown]

Saleh

Quote from: Chris Cromer on September 05, 2003, 11:29:32 PM
Make sure the filename doesn't contain ".." or slashes.

For instance if they uploaded the filename "../file.gif" it would upload it up one directory... so it would be possible for them to upload it ANYWHERE on the site if .. was allowed in the filename.

And slashes are dangerous too because they can symbolize directories so make sure those arn't in the file name.

You should also check both the mime type of the file as well as the extension to make sure they don't upload some file that isn't a image. For instance I could upload a javascript file and name it .gif and it would execute the javascript. So check the mime type to make sure it really is an image... because extensions lie. ;)
somehow I missed this one, but move_uplaoded_file() shouldn't be fooled by this!
it's why it's different from copy()!

We don't need a reason to help people

Advertisement: