1

I'm writing a multiple file upload feature for myself.

The problem is that I'll be uploading .psd, .cdr, .indd, .cad, etc. files.

I can easily check whether file is a legit image or not, but is there a similar way of validating the file extensions mentioned above.

EDIT the question is not about checking if file has an extension like psd, cdr etc. I need to be able to verify if the file is a legit PSD or CDR file.

michaeltintiuc
  • 671
  • 15
  • 31
  • 2
    For etc. files it's most easy - as it's undefined, there is nothing to check. But honestly, you would need a verification for each of those formats. Probably some exist, do a research first. Would love it if you list what you find later on as an answer. See as well [How to check file types of uploaded files in PHP?](http://stackoverflow.com/questions/310714/how-to-check-file-types-of-uploaded-files-in-php) – hakre Feb 14 '12 at 09:46
  • well psd files can be checked as they are somewhat XML structured. for etc files I meant other design software file extensions that may come up, but the first 4 are the most important – michaeltintiuc Feb 14 '12 at 09:49
  • 1
    I'd approach this from two sides: First find out if file specifications are publicly available and which versions of the file-formats exist. Wikipedia is not a too bad starting point for that. The second side would be to search for libraries for these files. For the more popular formats I would assume some might already exist for PHP. Otherwise I would look for system libraries as well if you're running on linux. – hakre Feb 14 '12 at 10:01

5 Answers5

1

Yes and no.

To extract an extension from the filename is a trivial string operation.
To test extracted extension against array of predefined extensions is not a rocket science too.

However, in some circumstances such a validation can compromise your site security.
In case you are using Apache web-server, it has extremely peculiar habit of looking for the file extension among multiple ones.
Say, a filename image.php.cad would be executed as a PHP script by Apache with default settings.

to avoid such a danger either don't use Apache at all, search for the .php throughout whole filename, or configure your PHP this way

<FilesMatch \.php$>
  SetHandler php5-script
</FilesMatch>

(courtesy of http://verens.com/2008/10/13/security-hole-for-files-with-a-dot-at-the-end/ )

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
1

Use the FileInfo functionality to get the real mimetype of the received files:

http://www.php.net/manual/en/intro.fileinfo.php

Don't trust the extension of the upload files, this is browser-sent data that's easy to forge. Just assume the input file has no name, no extension.

ashein
  • 477
  • 2
  • 12
  • looks like mime-type is the way to go, even though it can be faked, there's no way to run the bad script, at least none of that I know. – michaeltintiuc Feb 14 '12 at 10:15
  • @Skatebail - if you're concerned about some kind of script injection via the uploader, you can just put the uploaded files out of you docroot or just block any direct file access via `.htaccess` in a subdir. I personally let users download such files via another script (as some of the files you may wish to protect against, say, hotlinking, public access etc). – ashein Feb 14 '12 at 10:36
0
function endsWith($haystack, $needle)
{
    $length = strlen($needle);
    $start  = $length * -1; //negative
    return (substr($haystack, $start) === $needle);
}

if(!endWith($_FILES['file1']['name'],".psd") || !endWith(..)...){
   //Error! file extension not correct
}else{
    //correct!
}
Jayyrus
  • 12,961
  • 41
  • 132
  • 214
  • this function will not validate anything at all, I can easily write a php shell and rename it as psd. Also u should check for multiple 'dots' in filenames. Thanks for your time though, I really appreciate it. – michaeltintiuc Feb 14 '12 at 09:55
  • 1
    understood! you want to check that the file selected is really a file with that extension. RAW WAY: you should open some file with same extension and check if that file has an header equal to other. in this way you could open file with fopen and get the header (fgets) so you really check if file is correct. repeat what operation with all extension file you want to allow :) – Jayyrus Feb 14 '12 at 11:17
0

You could use function pathinfo :

if ( pathinfo($_FILES['fileinput']['name'], PATHINFO_EXTENSION) == 'psd' ) {
    // do something...
}

For checking mime-type try to use http://ru.php.net/manual/en/function.finfo-file.php

Victor Kuznetsov
  • 284
  • 2
  • 4
0

I don't really know php commands that provide you with such an accurate information. All mentioned above are based on the file extension which can be spoofed.

If your web server runs on a *nix system, you can use the system command file

system("file $filePath");

This is reliable because file looks the head of the file content (file extension does not alter the results). This command is specific to binary files. Text files, like sql, are all ascii.

If you see this as a solution, have a look at the man page and check the options of file.

Al_
  • 1,481
  • 1
  • 11
  • 22