A friend and I are somewhat dead locked, as to whether with available tools via php, that its possible to *reliably* secure file uploads.
File uploads currently encompass, images, mp3, real audio files,
with plans for ogg vorbis, flash, and what ever audio/visual/document file formats, I can make php read its metadata.
These files will be used in a gallery type environment, to be displayed, downloaded, or streamed.
The end product will be used by people who most likely will have their sites hosted, thus no real control over the server, and can be run on *nix/Windows environments.
Browsers that I've tested with: IE 6, Mozilla 1.4(Windows/FreeBSD), Opera 6(FreeBSD)
Spoofed file in question: Renamed putty.exe to putty.mp3
Side Note: Image uploading can be more or less be considered secure because Im running it throught getimagesize() which will report false on non image files.
Currently, the upload process, checks the browser reported mime type against a predefined set of mime types. The file extention is checked against a set of predefined file extentions. Then the file is moved to its final destination, and is read for its sequence of magic bytes for its metadata (which depends on the file's extention, so it knows what to look for).
Files are stored in a predefined directory under the webroot.
With IE6, the upload fails because it correctly reported putty.mp3's mime type as not being an mp3 file.
With the other browsers in question, they solely report the mime types according to the file's extention, so the file is successfully uploaded.
Now remember, that the target audience for the script will most likely be on a shared host, thus no control over the server.
Is there anything else I can do using php, that can help in making the process more secure???
mime_content_type() isn't an option, as it doesn't report all mime types.
Reversing the order of reading the file's, magic bytes, and storing it, doesn't really improve matters, as it depends on a file's extention.
Thanks for any tips/pointers you can provide, and sorry for the long post...
Dan Anderson wrote:
There are some very good reasons to check a file's mime type. For one thing, if you send a user an executable when you meant to send them a jpg, and that executable unleashes a virus, that is no good. Not only will noone visit your site if they know you are a source of viruses, you may get sued for damages. (Computers are expensive!)
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
