1

I have an file upload form and need to run a check on the file uploaded to ensure it isn't anything that might potentially cause problems on the server (ie: executables). The files will primarily be images, but I will be dealing with a other exentions of raw file formats which can be many different extensions. so, i feel the easiest way is to check agaisn't a list of things I don't want, rather than things i do.

What is the best way to do this? Ideally something that will work on a both a windows and linux server, but primarily linux if now both.

David
  • 4,717
  • 8
  • 35
  • 46
  • 1
    Why would executables be a risk on the server? Who's going to execute them? – JJJ May 20 '12 at 20:34
  • 1
    Considering that a white-list is usually more secure than a blacklist, and that the number of potential malicious exentions is much broader than the number of image extensions, I would strongly recommend the white-list. But I am, however, looking forward to hearing other opinions. – Lukx May 20 '12 at 20:35
  • the "allowed" file list is surely going to be smaller than the "not allowed" –  May 20 '12 at 20:40
  • Try: http://php.net/manual/en/book.fileinfo.php – Marc B May 20 '12 at 20:45
  • Not necessarily, you can try to send few lines of php code that will try to execute some shell command or simply display database credentials which will be far less smaller than medium size image. – Zefiryn May 20 '12 at 20:46
  • In your .htaccess in the file upload directory add directive SetHandler XYZ123_JustAnything php wont execute – APZ May 20 '12 at 20:50
  • @Juhana that would be the malicious attacker, then. If an additional vulnerability was present in some unpatched installed software that leads to say buffer overlow problems, or perhaps some poor coding in a PHP file has led to a LFI vulnerability (suprisingly common in php projects) http://hakipedia.com/index.php/Local_File_Inclusion, then executing arbitrary script/binaries is a genuine concern. Add to that the ability to let the attacker upload his own file and you're in some serious doo-doo. – Cheekysoft May 21 '12 at 09:32
  • If an attacker can execute arbitrary binaries on a server the game's over regardless of whether they have uploaded their own files or not. – JJJ May 21 '12 at 09:44

1 Answers1

2

I would recommend that you should maintain a whitelist of allowed types, rather than a blacklist of blocked ones. Though treat any kind of file-extension based processing as a weak line of defence, as it is trivial to circumvent this kind of checking.

So don't just check the file extension. It might be worth validating that the content type of the file matches the extension - see the Fileinfo extension. If you're just using images, you could use GD or ImageMagick to reprocess the file.

Finally, I would recommend that you store any uploaded files on a filesystem which doesn't permit execution - mount with noexec on Linux/UNIX platforms - though note there isn't really an equivalent on Windows.

Community
  • 1
  • 1
Ian Gregory
  • 5,770
  • 1
  • 29
  • 42
  • +1 and, in PHP, content-type and mime-type are set by the client -> not a good source of information for security purposes. – Jacco May 21 '12 at 09:08
  • The Fileinfo exension will actually examine the file to get the content-type. It's still not infallible as it only examines the file signature. I'd agree that trusting the client for this data would be a bad thing. – Ian Gregory May 21 '12 at 10:09