...

View Full Version : content type



timgolding
07-20-2007, 01:10 PM
Hi,

I am looking for a bullet proof method for verifying file types for uploaded files.
If there was someway i could check the content type and encoding of the uploaded file. I am trying to avoid trusting the data form the $_FILE associative array because I presume this comes directly from the posted data, which may have been spoofed somehow. If there is something similar to the linux command File that checks for magic byte sequences against the magic database.

Is there a similar approach in PHP? If so would this be bullet proof. I am trying to establish whether an uploaded file is a an image.

Any advice on these issues would be greatly appreciated.

rafiki
07-20-2007, 01:19 PM
http://code.sixapart.com/trac/movabletype/changeset/928
HTH didnt read it all.

timgolding
07-20-2007, 02:22 PM
i found i can run system commands through the system() call. and produced this script to return the output from the system command 'file'.





if(!empty($_FILES["uploadedfile"]))
{
// make path for upload
$uploaddir = $_SERVER['DOCUMENT_ROOT']."/static_files/training/photos/";
$uploaddir.=basename( $_FILES['uploadedfile']['name']);

//verify file using linux FILE command
$last_line = system('file '.$_FILES['uploadedfile']['tmp_name'], $retval);
echo $last_line.'<br />'.
$retval.'<br />';
}else
echo $_FILES['uploadedfile']['error'].'<br />';


Then i tested the three different file types i will except these are: jpg, png, gif

here was the output



png: tmp/phpNUT6aD: PNG image data, 197 x 106, 8-bit/color RGB, non-interlaced /tmp/phpNUT6aD: PNG image data, 197 x 106, 8-bit/color RGB, non-interlaced

jpg: /tmp/phpYOyoBK: JPEG image data, JFIF standard 1.01 /tmp/phpYOyoBK: JPEG image data, JFIF standard 1.01

gif:/tmp/phpKJHs58: GIF image data, version 89a, 114 x 100 /tmp/phpKJHs58: GIF image data, version 89a, 114 x 100


How can i use these outputs to test. is there a regex expert in here :)

timgolding
07-20-2007, 02:42 PM
would this be exceptable?




$accepted_types=array('JPEG', 'GIF', 'PNG');

if(!empty($_FILES["uploadedfile"]))
{
// make path for upload
$uploaddir = $_SERVER['DOCUMENT_ROOT']."/static_files/training/photos/";
$uploaddir.=basename( $_FILES['uploadedfile']['name']);

//verify file using linux FILE command
$last_line = system('file '.$_FILES['uploadedfile']['tmp_name'], $retval);
echo $last_line.'<br />'.
$retval.'<br />';

$splitvals=explode('image data' , $last_line);
if (in_array($splitvals[0], $accepted_types))
{
echo $splitvals[0].' was accepted ';
}
}
else
echo $_FILES['uploadedfile']['error'].'<br />';

timgolding
07-20-2007, 03:17 PM
here is my solution



<?PHP

$accepted_types=array("JPEG" , "GIF", "PNG");

// The temporary filename of the file in which the uploaded file was stored on the server.
if(!empty($_FILES["uploadedfile"]))
{
$uploaddir = $_SERVER['DOCUMENT_ROOT']."/static_files/training/photos/";
$uploaddir.=basename( $_FILES['uploadedfile']['name']);

//verfiy file using linux FILE command
$last_line = system('file '.escapeshellarg($_FILES['uploadedfile']['tmp_name']), $retval);

//get the file extension returned through magic database
$splitvals=explode(' image data' , $last_line);
$vals=explode(':', $splitvals[0]);
$vals[1]=str_replace(' ','', $vals[1]); //$vals[1] = the extension

if (in_array($vals[1], $accepted_types))
{
echo $vals[1].' was accepted <br />';
if(!file_exists($uploaddir)){
//Copy the file to some permanent location
if(move_uploaded_file($_FILES["uploadedfile"]["tmp_name"], $uploaddir))
{
echo $uploaddir." was uploaded! <br />";
}
else
{
echo "There was a problem when uploding the new file, please contact admin about this.";
}
}
else echo 'This file already exists in DB please rename file before uploading';
}
}else echo $_FILES['uploadedfile']['error'].'<br />';
?>

Fumigator
07-20-2007, 05:22 PM
I believe getimagesize() (http://us.php.net/getimagesize) is the easiest way to determine if a file is an image or not-- it will even tell you what kind of image it is (regardless of the file extension).


if (!getimagesize($fileName)) {
echo "file is not an image.";
}

timgolding
07-20-2007, 05:26 PM
oh lol that will save a lot of lines of code



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum