I have a feature on my website that allow people to upload various types of files. I don't want people to upload bash files but I can't tell by just the file extension since a '.pdf' file could contain only bash code as far as I know. Is there a way to check for sure if a file could be run with bash ?
Asked
Active
Viewed 157 times
0
-
Sounds like a [XY-Problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) to me. What's the problem with people uploading bash scripts? You can just not *run* them. Remember that even a bash script needs to be [made executable](https://askubuntu.com/questions/229589/how-to-make-a-file-e-g-a-sh-script-executable-so-it-can-be-run-from-termina) first. Also, file extensions are *never* a good way to check the type of a file. At least not by itself. – domsson Jun 07 '17 at 11:54
-
"What's the problem with people uploading bash scripts?", my tutor told me that it was a problem to freely upload bash (or other executable) script on a server since we don't know if it could be triggered, how it's gonna be used etc. – Shashimee Jun 07 '17 at 12:10
-
Well, its completely up to you and your app what happens to the uploaded files. If you make sure they don't have the executable bit set and if you make sure they wouldn't be executed, then I don't see a particular issue. However, I'm by no means an expert on the field. What's the page going to do with the files? Is it just a file hosting service? You could wrap every file in a `zip` if it makes you feel more comfortable. – domsson Jun 07 '17 at 12:56
-
Maybe check out `finfo` as described in [this answer to a related question](https://stackoverflow.com/a/19708187/3316645). – domsson Jun 07 '17 at 13:03
1 Answers
1
Use mime_content_type (http://php.net/manual/en/function.mime-content-type.php):
// #!/bin/bash
$result = mime_content_type(/path/to/exmple);
$result = 'text/x-shellscrip';
// #!/bin/sh
$result = mime_content_type(/path/to/exmple);
$result = 'text/x-shellscrip';
NarfkX
- 5,865
- 2
- 14
- 7