I worked for a company who did mass free hosting and I can tell you that browser supplied mime types are not enough in many situations.
I had to resort to file magic byte testing (technique used by the unix 'file' command), and then further to ensuring that tar's, rar's, bzip's, pkzip's etc all passed consistency checks and had no padded data on the end, as well as check the contents. We also ended up having to run JPEG's and GIFS through image libraries to ensure the same as people were uploading copies of windows in hundreds of JPEGS which had proper headers but the remainder was added on CAB files. Also, if I remember correctly you must write a mod_perl content handler in order to acurately stop a 'claimed' 100k upload that is in actuality a 100MB upload. We did this by counting bytes as we read them and aborting once over a given size. Also, I think some browsers don't correctly report the size up uploaded files, but I am kinda hazy on this aspect. This was apache 1.3 btw. 1 check file magic-bytes/fingerprint. Decline anything you don't explicitly permit. 2 ensure they cannot upload larger than claimed/quota amounts by a writing a handler in mod_perl or c that counts the bytes. TIME OUT slow connections... eg, upload 100k, wait, slow down, wait some more, send some bytes, etc. this is an easy way to DOS you. 3 check images against image libraries. Do your best to ensure that no data is padded on the end by checking the jpg headers (can't remember the GIF method) and ensuring that the data segment processes without errors. 4 If you permit any archive/multi-file formats, open them, and check the contents. If you want something short and somewhat secure, stick with the 1st step at least. IMHO: NEVER trust user uploads unless you hav e their name, addy, credit card number, and the promise of their first born. :) On Wed, 2005-03-02 at 18:08 -0500, Jonathan Vanasco wrote: > Great points, and I figured as much would be needed to 'rule in' > acceptable items > > do you think that the browser mime type would be sufficient to 'rule > out' items as a preliminary check? > ie: if it passes the mime test, do a size test, else don't bother > > or, would that probably toss too many good pictures? > > > > On Mar 2, 2005, at 5:04 PM, Dan Wilga wrote: > > > At 1:44 PM -0500 3/1/05, Jonathan Vanasco wrote: > >> I'm in need of a 'good' method to limit files uploaded via mod_perl2 > >> ( to photos of gif/jpg/png 100k or less) > > > >> 2 - i've noticed a type of "image/jpeg" "image/gif" "image/png" for > >> uploaded file types. can this be relied on to any extent? > > > > I wouldn't. You're relying on the browser to supply a proper MIMe > > type, which IMHO is not the best place to put the burden. > > > > Personally, I use Image::Size::imgsize() (see CPAN) for this. It > > automagically figures out the image's type (and size) based upon the > > file header. It doesn't even rely upon the .jpg or .gif ending, which > > would also be a bad idea. > > > > -- > > Dan Wilga [EMAIL PROTECTED] > > Web Administrator http://www.mtholyoke.edu > > Mount Holyoke College Tel: 413-538-3027 > > South Hadley, MA 01075 "Who left the cake out in the rain?" > -- Richard F. Rebel <[EMAIL PROTECTED]> WhenU.com
signature.asc
Description: This is a digitally signed message part