1

There are two ways to validate a file format when uploading to php.

$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) { ........

and use mime type ...

if(($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/png")
|| ($_FILES["file"]["type"] == "image/jpg") .....

Which mode do you recommend that we trust in terms of security and why?

ADONIYA . ir
  • 7
  • 2
  • 2
    Security of *what*? What are you trying to do? Neither method actually inspects the contents of the file. Both can be easily spoofed. Sometimes, they don't exist. The `type` is what should be used. File name extensions are not used in all cases. Most systems though infer `type` from `filename`. – Brad Apr 04 '20 at 06:00
  • I want to allow users of my site to upload files in mp3, mp4,doc,docx,pdf,jpg,png,gif,psd,avi,ogg,zip, etc. formats. According to my research, there are two methods I mentioned in the question. Which method is more secure? – ADONIYA . ir Apr 04 '20 at 06:08
  • I wrote an answer to this issue. Check out this answer https://stackoverflow.com/a/59986578/7935051 – unclexo Apr 04 '20 at 07:32
  • 1
    Both alternatives are exactly the same thing: they just ask the client and take the answer for good. It's like a security guard asking visitors: "Are you going to steal stuff here?". The only difference is that browser may not be able to detect mime type properly so checking type may lead to reject legit input. – Álvaro González Apr 04 '20 at 12:01
  • @ Álvaro González What do you suggest for uploading files in different formats safely? – ADONIYA . ir Apr 04 '20 at 12:21
  • 1
    if you only accepting images pass it though something like getimagesize, or Imagick::getImageProperties etc to get image metadata, that for sure will tell you its an image. If you want to allow arbitrary files inc php files then just make sure the directory is not public accessible or has default php handler on it, or use a loader, as long as your not allowing php code to execute your be fine. – Lawrence Cherone Apr 04 '20 at 12:31

2 Answers2

0

PHP has a set of imagecreatefromXXX() functions. I would use these based on the $_FILES['xxx']['type'] and see if you get a valid image resource. If the output from the imagecreatefromXXX() is FALSE, discard the file. See example here:

https://www.php.net/manual/en/function.imagecreatefrompng

It's also good to know about how to do safe file uploads, etc. As always on the PHP site, the user-contributed notes contain nuggets of pure gold.

https://www.php.net/manual/en/features.file-upload.php

https://www.php.net/manual/en/features.file-upload.post-method.php

Ray Paseur
  • 2,106
  • 2
  • 13
  • 18
-2

@unclexo I wrote the code as follows. Do you think it is safe?

$file = $_FILES["file"]["name"];
$Forfi = basename($file);
$FilTy = strtolower(pathinfo($Forfi,PATHINFO_EXTENSION));
if( $FilTy == "gif" || $FilTy == "jpg" || $FilTy == "jpeg" .............. Step 1

if(($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg") || .............. Step 2

if($_FILES["file"]["size"] < 17500000){.............. Step 3

if($_FILES["file"]["error"] == 0){.............. Step 4

if(is_uploaded_file($_FILES["file"]["tmp_name"])){ .............. Step 5

$MimeChk = finfo_file(finfo_open(FILEINFO_MIME_TYPE) , $_FILES["file"]["tmp_name"]);
$AllowTy = array("image/png","image/jpeg","application/pdf");
if(in_array($MimeChk,$AllowTy)){ .............. Step 6

.... rename file and use move_uploaded_file .............. Step 7

These 7 steps are performed in order. Do you think these intruders are safe for uploading files?

ADONIYA . ir
  • 7
  • 2
  • No, this code isn't inherently "safe". And no, maybe it doesn't matter! What specifically are you worried about? You say in your comments above that you want people to upload a whole bunch of document types. Safe for whom? Is someone also later downloading these? At some point you have to look at virus scanning and such as well, but that isn't foolproof. – Brad Apr 04 '20 at 15:01
  • @Brad What method do you suggest? I want the user to be able to upload most of the files and display these files in the content on the site. – ADONIYA . ir Apr 04 '20 at 15:51
  • So, you're trying to protect the users of your site? Why does security have anything to do with the file type, in this context? PDFs, for example, can have a ton of stuff in them. – Brad Apr 04 '20 at 15:54
  • @ADONIYA.ir You can't make a file upload 100% secure. But there are some functions (in PHP) that you can use to protect file-upload from specific attacks. In my answer (the link attached above), I tried to describe how someone should use those functions. I hope you'll understand. One question why did you ask for help in my medium post? Please remove it. – unclexo Apr 04 '20 at 17:30