0

I preg_replace anything like .php.jpg, .php.png, .js.jpg, .js.png, in the name of the uploaded file (images) for security purposes and would like to know if there are any extensions that I should also consider replacing before moving the file to the corresponding folder after the upload is complete?

user1190478
  • 119
  • 1
  • 11

3 Answers3

3

Looking at the filename alone is really not a safe way to prevent rogue code/executables being uploaded.

Depending on the type of files you are accepting for upload there are better ways to play it safe.

As a general rule never upload any files to anywhere publicly accessible from the web until you know 100% they're not anything dubious.

If you are allowing image uploads - use a server side technology such as GD or ImageMagick to re-save the file out before using it. If these tools can't load a valid image from what has been uploaded (catch the errors so you know...) either drop, or quarantine the file until you investigate manually.

In any case never store the file under the original file name as uploaded even with extensions swapped out / replaced.

Search the site for upload security for some more detailed tips - this question does come up reasonably regularly.

steve
  • 2,469
  • 1
  • 23
  • 30
  • If I set the file access permission via chmod(), I can't see any change in permissions. If I echo the permission mod via fileperms() before the change and after the change the value is the same. Ajax response text contains the same value - 33206. Does it mean that the permission on this file hasn't changed, or has it something to do with the fact that I'm currently testing the scripts in the Windows environment? – user1190478 Feb 05 '14 at 18:07
0

Depending on what you need to do with the file it would be possible to crypt or just run a gzip on the files. There you save space on the server and if someone uploads scriptfiles they can't be run via a http request. The thing i would to is to check if there is any public access from the filed and/or set up an htaccess file.

xasz
  • 26
  • 2
0

Short answer, yes there are many other executable extensions that you should also consider blocking if you are going to use a black list approach, like 'phtml', 'java', 'perl', 'py', 'asp', 'go' and you should consider exe and bat and others that could deliver malware.

But, I would only use a blacklist if you are going to completely block moving them (or possibly even uploading as a kind of form validation before you get to the more complicated parts), not if you are going to upload and change the names on moving. No matter what you don't want some unknown Java or Go or Python etc sitting on your server regardless of what it is called and even if you are not on Apache (which lets you put the executable extension in places besides the last segment). Why allow that upload to go forward? It can be simpler (and you'll see people recommend) to just not allow 3+ level names but there are plenty of legitimate uses of three level names such as for language identification. This approach alone is not going to keep you safe from executable code however. This needs to be part of a larger set of things you to to make file uploading as safe as possible (such as you also want to check image files for embedded code).

Elin
  • 6,507
  • 3
  • 25
  • 47
  • Thanks for the answer. I have written the script in the way that it will rename every image, give it a unique name and only then will move to the appropriate directory. How can I check for embedded code? – user1190478 Feb 05 '14 at 19:49
  • 1
    You could look at what Joomla does for this, https://github.com/joomla/joomla-cms/blob/staging/libraries/cms/helper/media.php#L190 – Elin Feb 05 '14 at 21:35