PHP file upload check finfo_file

Question

I have a working PHP MIME validation script to check files that are uploaded to a website. Issue is with the current solution, that one can easily rename dodgy.php to become harmless.pdf and it will pass the validation and upload... I think I need to use the finfo_file PHP 5 logic to check the file more precisely but not sure on how best to integrate this to my current solution... Any advice? Current coded solution is as below, which should allow upload of just .doc, .docx and .pdf files:

$allowedExts = array(
  "pdf", 
  "doc", 
  "docx"
); 

$allowedMimeTypes = array( 
  'application/msword',
  'application/pdf',
  'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
  'application/x-pdf',
  'application/vnd.pdf'
);

$extension = end(explode(".", $_FILES["fileinputFileName"]["name"]));

if ( ! ( in_array($extension, $allowedExts ) ) ) {
//throw error 
$hook->addError('fileinputFileName','Please ensure you select a PDF, DOC or DOCX file.');
return $hook->hasErrors();
}

if ( in_array( $_FILES["fileinputFileName"]["type"], $allowedMimeTypes ) ) 
{
// all OK - proceed     
return true; 
}
else
{
//throw error
$hook->addError('fileinputFileName','Please ensure you select a PDF, DOC or DOCX file.');
return $hook->hasErrors();
}

Failing code example:

$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
    $finfo->file($_FILES["fileinputFileName"]["tmp_name"]),
    array(
        'doc' => 'application/msword',
        'pdf' => 'application/pdf',
        'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
        'pdf' => 'application/x-pdf',
        'pdf' => 'application/vnd.pdf'
    ),
    // all OK - proceed     
    return true; 
)) {
    //die('Please provide another file type [E/3].');
    $hook->addError('fileinputFileName','Please ensure you select a PDF, DOC or DOCX file.');
    return $hook->hasErrors();
}

score 1 · Answer 1 · answered Oct 26 '15 at 15:44

1

As you mention, relying on the file extension may not be the best strategy here. Instead, you may want to try to detect the mimetype of the file using finfo. From the PHP documentation:

// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
    $finfo->file($_FILES['upfile']['tmp_name']),
    array(
        'jpg' => 'image/jpeg',
        'png' => 'image/png',
        'gif' => 'image/gif',
    ),
    true
)) {
    throw new RuntimeException('Invalid file format.');
}

http://php.net/manual/en/features.file-upload.php

answered Oct 26 '15 at 15:44

Paul Bain

4,364
1
16
30

Thanks Paul - I thought my code was checking the Mime type? – dubbs Oct 26 '15 at 17:44
I believe the type being sent here is not inferred from the file but based on the filename. – Paul Bain Oct 26 '15 at 18:10
OK. Just had a go at implementing - but getting a server error. Code I am using is included in the updated question above. Any ideas what the issue is? – dubbs Oct 26 '15 at 18:17
Nothing shows in the logs which is very odd! Its defo an error on the mime-type script though – dubbs Oct 26 '15 at 18:29
what version of PHP are you on? It's in 5.3.0 and above. – Paul Bain Oct 26 '15 at 18:32
Running version 5.4.45 – dubbs Oct 26 '15 at 18:33
Looks like the CMS I run is having an issue with the finfo_open() function. This is in the server error_log "PHP Fatal error: Call to undefined function finfo_open() in public_html/core/cache/includes/elements/modsnippet/89.include.cache.php on line 18" – dubbs Oct 26 '15 at 19:06
I think server does not allow use of finfo – dubbs Oct 26 '15 at 20:47
that's unfortunate. Do you have access to modify the server config? – Paul Bain Oct 28 '15 at 11:39

PHP file upload check finfo_file

1 Answers1

Linked