4

I get Video uploads and image uploads:

My environment: LAMP

EDIT: I will allow remote upload and POST video upload

EDIT2: The files which i get will be renamed i wont store the orginal file names.

  1. First I check with $_FILES the mime type.

  2. Second I check with finfo_file (if function exists) the mimetype again (PHP 5.3) or with shell command file.

  3. File gets moved to public dir if its passed the above checks.

My question is this setup secure? Or can I improve something? I read the hole day yesterday this seems for me enough, but who knows :)

I'm a novice when it comes coding and security :-)

Klob
  • 63
  • 4

2 Answers2

1

I can also recommend the followings:

  1. is_uploaded_file Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.

  2. basename() function to get only file name such as basename(c:/fakepath/something.avi); // will return something.avi since some people try to deceive the computer by giving directory-alike file names.

More about basename():

When you upload a file, you want to move a file to the directory you want for example under /uploads/ folder and but a malicious user can name the file such as something/hello.jpg and then when you move the file with move_uploaded_file($source,$destionation) your $destination would be /uploads/something/hello.jpg and that causes problems. To ensure you got only the proper file name you need to use basename() function which returns hello.jpg and so on.

$file_name = basename($_FILES["upload_ctrl"]["name"]);
if(!move_uploaded_file($_FILES["upload_ctrl"]["tmp_name"],"uploads/".$file_name))
    echo "Opps I cannot upload the file";

For usage of basename visit here: http://php.net/manual/en/function.basename.php

Tarik
  • 79,711
  • 83
  • 236
  • 349
  • ah i forgot to say i will allow remote file upload from some user groups. About basename i dont understand what u mean i looked at php.net but i still dont understand it :) – Klob Jul 10 '11 at 11:35
  • basename() extracts the name of the file without any additional paths. – ComFreek Jul 10 '11 at 11:41
  • sorry for asking again, when i check $_FILES[tmp_name] it gives me the direcrtory where the file name is already renamed to [tmp_name] => /var/www/vhosts/domain.com/tmp/p2A32.tmp is this exploit able? Cause php renames the file already, i dont get it how basename would help me. – Klob Jul 10 '11 at 11:50
  • It is for `tmp_name` and what about when you want to store the file with its original name? Then you will get a the tricked file_name from the user. PHP will store the temp file and its meta data such as file_name, file_type etc. as long as the script is being processed but after that they are gonna be removed. `basename()` is useful when you want to store the files along with their original names. – Tarik Jul 10 '11 at 11:53
  • ok, i see now what you mean, but the files getting renamed and encoded / resized with a unique id, if no more answer will come i will mark your answer thanks :-) – Klob Jul 10 '11 at 12:00
1

as long as you rename with your own file name and extension, and have no include type vulnerabilities in your apps code (ie: include($_GET['whatever']);), this is fairly good. you will also want to make sure everything on your server stack is the latest version (especially anything that processes images/video).

others would recommend including a file serving script which outputs the file, instead of keeping the file in a public folder and referencing the file directly in your src attributes. some would also recommend virus scanning everything.

dqhendricks
  • 19,030
  • 11
  • 50
  • 83
  • 1
    here is some further oppinions that may be helpful: http://stackoverflow.com/questions/6391916/is-it-important-to-verify-that-the-uploaded-file-is-an-actual-image-file – dqhendricks Jul 10 '11 at 23:27