4

I am currently working on a project where the users can upload images and GPX files. No problem in validating the images but I simply can't find a secure way to make sure that the gpx files are not some malicious file instead. Any hints are very much appreciated! Thanks in advance!

Edit: Can anyone please point out why this code is not working? By not working I mean that it does not reject PDF files.

$xml = new XMLReader();
if (!$xml->xml($_FILES["gps"]["tmp_name"], NULL, LIBXML_DTDVALID)) {
    echo '<script>alert("Not valid!");</script>';           
    exit();
}
user1204121
  • 385
  • 1
  • 3
  • 15
  • The only thing I can think of is checking the [file headers](http://en.wikipedia.org/wiki/List_of_file_signatures) – dot_Sp0T Dec 03 '13 at 19:25
  • 1
    GPX should be valid XML? easy to check that –  Dec 03 '13 at 19:25
  • 2
    gpx is xml, isn't it? load the file into a DOM Validator and feed it the GPX DTDs for comparison. – Marc B Dec 03 '13 at 19:26
  • Xerxes GPX parser could do it: http://www.topografix.com/gpx_validation.asp – Kristen Waite Dec 03 '13 at 19:26
  • 1
    Yes, GPX is XML. Will try the DOM Validator! Thanks! – user1204121 Dec 03 '13 at 19:27
  • http://php.net/manual/en/xmlreader.isvalid.php –  Dec 03 '13 at 19:27
  • Also pass only valid extensions, jpeg and gpx for example. – V G Dec 03 '13 at 19:27
  • 1
    @VG: Extensions don't really mean much. Files can renamed. – gen_Eric Dec 03 '13 at 19:28
  • 1
    According to Wikipedia, GPX is XML. So just load it into an XML parser and make sure it has a `` tag. http://en.wikipedia.org/wiki/GPS_eXchange_Format – gen_Eric Dec 03 '13 at 19:30
  • 1
    @RocketHazmat: Extensions mean much if files are saved. What if someone upload a php/js/py/pl or other executables. This is security reason mostly. – V G Dec 03 '13 at 19:32
  • @VG: True. But, it's better to check if it's a valid image/xml more so than just the extension. – gen_Eric Dec 03 '13 at 19:33
  • @RocketHazmat Definitely always need to check both extension and content. The question was about malicious uploaded files too. – V G Dec 03 '13 at 19:35
  • I am obviously doing something wrong. This code does allow me to upload pdf for example: $xml = new XMLReader(); if (!$xml->xml($_FILES["gps"]["tmp_name"], NULL, LIBXML_DTDVALID)) { echo ''; exit(); } – user1204121 Dec 03 '13 at 20:01
  • @Dagon … until someone uploads a valid GPX file containing PHP code as `.php`. – Gumbo Dec 03 '13 at 20:15
  • @Gumbo thanks for stalking me, i feel special now. –  Dec 03 '13 at 20:35

1 Answers1

1
$xmlcontents = XMLReader::open($_FILES["gps"]["tmp_name"]);

$xmlcontents->setParserProperty(XMLReader::VALIDATE, true);

if($xmlcontents->isValid() and ($xml->xml($_FILES["gps"]["tmp_name"], NULL, LIBXML_DTDVALID))) {
}
else {
    echo 'Not a valid GPS file!")';            
    exit();
}

note here you check the file validity as xml , and it's extention try this

Anas
  • 576
  • 5
  • 10