1

I currently get the extension of the files are uploaded by the admins using pathinfo($FILE["name"], PATHINFO_EXTENSION), validating them if they match with a specific list.

Today I was wondering:

  • is there any way to fake the exstension, giving the opportunity to a spiteful person to upload a script or whatever instead of, for example, a .jpg file?
  • If so, how you could I prevent that or how could I strengthen my script to make it more difficult?
Brigo
  • 1,086
  • 1
  • 12
  • 36
  • 4
    Extensions are virtually meaningless; I'm pretty sure there's not a single "tracking pixel" out there that's *really* a jpg/gif file. – CD001 Jan 30 '17 at 10:02
  • 1
    If you're expecting an image you could just try to read an image with `imagecreatefromjpeg` and see if it fails. – apokryfos Jan 30 '17 at 10:02
  • You can answer that yourself: just rename some jpeg file to a file name like "somefile.txt". Tata! You did it! – arkascha Jan 30 '17 at 10:02
  • 3
    The issue usually is not so much if that file actually contains what the uploading person claims it to be. But of what you do with that file. That is the step where things may go wrong if you are not careful and trust client provided data. – arkascha Jan 30 '17 at 10:03
  • @arkascha That's the correct point of view, reason why I validate also the name of the file that is gonna be inserted into the db; also your other consideration of changing the extension manually to one accepted is sensible – Brigo Jan 30 '17 at 10:09
  • Since "validating" the file name does not provide any reliable information whatsoever, why do you do it? And once more: why are you actually interested in what an uploaded file contains? Inserting a string (a file name is nothing else) into a database does not get more or less secure because of any of this. – arkascha Jan 30 '17 at 10:12
  • And with renaming the file to another file name extension I tried to give a sarcastic answer to your question whether it is possible to "fake an extension". I did _not_ suggest that you should do that on the server to somehow handle that... – arkascha Jan 30 '17 at 10:14
  • @arkascha I'm not interested in what an uploaded file contains, I was just interested if there was a way to say to the script, based on pathinfo(), "hey, I'm a JPG" while it's a .php file or any similar case. I anyway validate the file name for two reasons: they have to have a standard and I don't want anything such as `` in the db – Brigo Jan 30 '17 at 10:20
  • 1. that `pathinfo()` function parses the path. That is string operations, nothing magic going on there. So no, it is not possible to create a magic file with name extension `.foo` where that function will return `bar`. Though even if, what is the point? _you are not interested in that_. 2. what do you mean by "they have to have a standard"? _What_ standard? Why? And 3. why would you _not_ want such file name as you gave as an example in the database, if it is the name of a file that has been uploaded? That is _totally_ fine and safe, _unless_ you later use it in a way that will break things. – arkascha Jan 30 '17 at 10:41
  • @arkascha I'll explain you the process, so maybe you've some advice. The admin can upload two types of file: a PDF file and a JPG/PNG file. They can do it only if they insert a new product into the db, since the img and the tech file are related to it. The standard for the file name is `category-subcategory-prodCode` `.jpg` if img or `.pdf` if document. After that the img is visible in the product page while the pdf is downloadable from the same page. And that's it. There won't be any security problem, I think, that's why my question was general and not related to a specific code – Brigo Jan 30 '17 at 10:53
  • If you are not concerned about any security implications, when what _are_ you concerned about? Why your question about whether something can be faked and might contain a script? The only possible negative outcome in this would be an administrator creating a "broken" product page, since the files claimed to be a PDF document and an image file were something else in fact. If all you are interested in is some file name structure, then use a simple regular expression to test the name against. That 's all you need. Though I don't really see much point in it. – arkascha Jan 30 '17 at 11:07
  • Typically the client provided file name is even ignored in web applications, simply _because_ it can be arbitrary. Why don't you define a definite file name instead you build of the available information? Sounds much more robust to me... – arkascha Jan 30 '17 at 11:08
  • @arkascha I think there's some misunderstanding :) What I was worried about was that someone could upload a script bypassing the control on extensions, being able in some manner to use it for not-friendly purposes. Maybe to a super expert this sounds funny 'cause impossible but, since nothing is impossible in computer science, I just wanted to know if there's a "best practice procedure" for file upload. The file name is absolutely of course ignored by the web application, but I want the file names to have that standard; and at the moment I can't use a regex but I'm working to use it – Brigo Jan 30 '17 at 11:44
  • Certainly a script uploaded is a security thread at various points. And you have to take care of that. But you can not do that by somehow evaluating some file name extension in a client provided file. So do not try to. Such a script _may_ get harmful if you have code that somehow opens and interprets client provided files (don't do that!). Or if you embed it into html markup without escaping name and content (don't do that!). Or if others download those files and execute them (one does not download a file and blindly execute it on the own system without looking at it first). – arkascha Jan 30 '17 at 11:57
  • Best practice for a file upload is to save and hand out the file unaltered, to use an internal file name that has nothing to do with client input, to only display the original file name in an escaped manner. And to do nothing else with such files of untrusted origin. Oh, you want to limit the file size, sure. – arkascha Jan 30 '17 at 12:01
  • And once more about that "standard" for file names: nothing against a structure for the file names. But that should _never_ be the task of the uploading client! _You can not trust that_. You want to create a file name yourself on the server side if you want to have it obey a certain structure. – arkascha Jan 30 '17 at 12:02

0 Answers0