0

I'd like to check if the file uploaded by the untrusted user is a video file.

I did my google search and most of the answers suggest to check MIME type or even parse the extension.

How to check a file is video type or not in php?

This is really bad, since it can be spoofed. The third answer suggest using unix file command, but I am not sure if it is supposed to be used in such way.

Is there a way to identify uploaded videos? What I found so far, are precautions but not the actual answer (see What is the most secure method for uploading a file?)

sanjihan
  • 5,592
  • 11
  • 54
  • 119
  • i would think mime_content_type() would be the right appporach –  Jun 21 '18 at 21:10
  • Your right checking mime from upload can be spoofed, and extensions are worse (some of them answers need updating/removing clearly wrong, you got rep, downvote them..), ok so use [finfo](http://php.net/manual/en/function.finfo-file.php) to check the actual files mime type. – Lawrence Cherone Jun 21 '18 at 21:12
  • One of the comments in the docs warns about getting mime type using finfo_file. http://php.net/manual/en/function.finfo-file.php#75275 It is 11 years old, but still.. – sanjihan Jun 21 '18 at 21:22
  • unless your running `exe('uploaded.file')` whats the worse case here? –  Jun 21 '18 at 21:26
  • You can probably really make sure by using FFmpeg / something like getID3 http://getid3.sourceforge.net/ – HTMHell Jun 21 '18 at 21:27

1 Answers1

1

You can use getid3 class ... http://getid3.sourceforge.net/

$file = ROOT_PATH.'upload/big_buck_bunny.mp4';//change this to match file path

require_once('getid3/getid3.php');
$engine = new getID3;
$fileinfo = $engine->analyze($file);

check if $fileinfo['video'] exists or $fileinfo['mime_type'] includes video/

echo '<pre>'; print_r($fileinfo); echo '</pre>'; returns:

Array
(
    [GETID3_VERSION] => 1.9.15-201806201619
    [filesize] => 5510872
    [filepath] => C:/workspace/sites/test/upload
    [filename] => big_buck_bunny.mp4
    [filenamepath] => C:/workspace/sites/test/upload/big_buck_bunny.mp4
    [avdataoffset] => 37114
    [avdataend] => 5510872
    [fileformat] => mp4
    [audio] => Array
        (
            [dataformat] => mp4
            [codec] => ISO/IEC 14496-3 AAC
            [sample_rate] => 22050
            [channels] => 2
            [bits_per_sample] => 16
            [lossless] => 
            [channelmode] => stereo
            [streams] => Array
                (
                    [0] => Array
                        (
                            [dataformat] => mp4
                            [codec] => ISO/IEC 14496-3 AAC
                            [sample_rate] => 22050
                            [channels] => 2
                            [bits_per_sample] => 16
                            [lossless] => 
                            [channelmode] => stereo
                        )

                )

        )

    [video] => Array
        (
            [dataformat] => quicktime
            [rotate] => 0
            [resolution_x] => 640
            [resolution_y] => 360
            [fourcc] => avc1
            [fourcc_lookup] => H.264/MPEG-4 AVC
            [frame_rate] => 7.317
            [lossless] => 
            [pixel_aspect_ratio] => 1
        )

    [warning] => Array
        (
            [0] => Unknown QuickTime atom type: "hmhd" (68 6d 68 64), 28 bytes at offset 20144
            [1] => Unknown QuickTime atom type: "hmhd" (68 6d 68 64), 28 bytes at offset 30893
        )

    [comments] => Array
        (
            [language] => Array
                (
                    [0] => English
                )

        )

    [encoding] => UTF-8
    [mime_type] => video/mp4

    ---------- THERE IS WAY MORE STUFF HERE "print_r()" TO SEE ALL ----------

    [time_scale] => 22050
            [display_scale] => 1
            [video] => Array
                (
                    [rotate] => 0
                    [resolution_x] => 640
                    [resolution_y] => 360
                    [frame_rate] => 7.317
                    [frame_count] => 1
                )

            [audio] => Array
                (
                    [codec] => mp4
                    [sample_rate] => 22050
                    [channels] => 2
                    [bit_depth] => 16
                )

            [stts_framecount] => Array
                (
                    [0] => 1295
                    [1] => 1440
                    [2] => 1440
                    [3] => 648
                )

            [free] => Array
                (
                    [hierarchy] => free
                    [name] => free
                    [size] => 8
                    [offset] => 37098
                )

            [mdat] => Array
                (
                    [hierarchy] => mdat
                    [name] => mdat
                    [size] => 5473766
                    [offset] => 37106
                )

            [encoding] => UTF-8
        )

    [playtime_seconds] => 60.095
    [bitrate] => 728680.65562859
    [playtime_string] => 1:00
)
Scotty G
  • 374
  • 2
  • 6