How to check PHP File Upload if file doesn't have extension?

Question

Following this thread: PHP file upload: mime or extension based verification? I assume that I need to check the file extension of the file that I am uploading, correct ?

I am trying to upload a binary file that results from a make file into a Raspberry using a PHP Interface.

This is the file in question:

Big_ppd_display_try1: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped

Following this thread: php check file extension in upload form

I can try:

$allowed =  array('gif','png' ,'jpg');
$filename = $_FILES['uploaded_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
    echo 'error';
}

But how do I tell PHP to only allow binary files like Big_ppd_display_try1 that have no file extension ?

Also, I am doing the upload from a Linux machine. How will that binary file look like on a Windows PC ?

Answer 1

To make sure file has no extension, compare it with null. To check for mime tipe use finfo_ functions:

$filename = $_FILES['uploaded_file']['name'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['uploaded_file']['tmp_name']);
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if ($ext === null && $mime === 'application/octet-stream') {
    //do something
}

Answer 2

We can use file command if you are using linux like as bellow

  $command = "file $_FILES['uploaded_file']['tmp_name']";
  shell_exec($command);

It will return a string like

ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped

You can evaluate the data returning the file type you want with this string.

Answer 3

I assume that I need to check the file extension of the file that I am uploading, correct ?

No.

The file extension is an arbitrary part of the "suggested filename" which is entirely under the control of the user. The procedure you should be following is:

1. Inspect the contents of the file as shown in this question.
2. Reject the file if the detected type is not in your allowed list.
3. Generate your own filename to save it to:
   • the extension should be based on the file type determined at step 1
   • the rest of the name might be based on what the user suggested, but should be filtered through a whitelist of allowed characters, e.g. replacing everything other than letters and numbers with -

Answer 4

I don't know if this is the best resolve but I have ended up checking if the file is an application/octet-stream:

<?php

if (isset($_POST['update_button']) && $_POST['update_button'] == 'Update') {
    if (isset($_FILES['uploaded_file']) &&
        $_FILES['uploaded_file']['error'] === UPLOAD_ERR_OK &&
        $_FILES['uploaded_file']['type'] == "application/octet-stream")
    {
        // print_r($_FILES);
        echo "<br>Successful upload !<br> ";      
    } else {
        echo "<br>File was not uploaded !<br> ";
    }
}

?>

I have ditched checking for file extension or MIME type because I think these can be easily bypassed.

I am now trying to execute the file with a certain argument and check it's response.

This is the code I am working on now:

        $fileTmpPath = $_FILES['uploaded_file']['tmp_name'];
        $fileName = $_FILES['uploaded_file']['name'];
        // echo "<br>$fileTmpPath"."/$fileName<br>";
        $command = "sudo .$fileTmpPath"."/$fileName -argument";
        echo "<br>$command<br>";

        $response = exec($command, $full, $status);
        if($status != 0) {
            echo "<br>Something went wrong<br>";
        } else {
            echo "<br>$response<br>";
        }