PHP Upload File Extension Security

Question

im currently using that codes in my software, is it safe to check files extensions or are there any way to bypass it?

                $ext = explode('.',$_FILES['file']['name']);
                $extension = end($ext);
                if($extension == 'jpg' || $extension == 'png' || $extension == 'JPG' || $extension == 'jpeg' || $extension == 'gif' || $extension == 'pjpeg' || $extension == 'x-png'){
                    $extension = $extension;
                }
                else {
                    echo 1;
                    die();
                }

Thank you..

I would advise you use `pathinfo` function to check file extension , that will be more secure than this approach . — TheDeveloper, Jan 27 '18 at 20:44
thank you, what is the risk of current usage? can you give me one example. — mer, Jan 27 '18 at 20:47
See https://security.stackexchange.com/questions/32967/is-it-possible-to-execute-a-php-script-in-an-image-file for why simply checking the extension isn't safe. — ceejayoz, Jan 27 '18 at 20:49
i think there is no way to bypass my code. if you have an example it would be amazing. of course they can hide php codes into their png,jpg files but it cannot be run as a PHP in upload folder. my question is are there anyway to bypass file extension with my code. — mer, Jan 27 '18 at 21:09
There's actually no need to bypass the code you posted. Any extension will get through. I hope you just forgot the `else` part of your `if` . — jh1711, Jan 27 '18 at 21:18
That's what I thought, but it's better to be sure. Beside that, I think there might be a way to evade your validation by injecting null bytes (**Null byte poisoning** for Google et. al.). But that's frequently dependent on the PHP version, and how you move/copy the uploaded files. I'll need to take another look at it in the morning. — jh1711, Jan 27 '18 at 21:33
Please don't make more work for people by vandalizing your posts. By posting on the Stack Exchange (SE) network, you've granted a non-revocable right, under the [CC BY-SA 3.0 license](https://creativecommons.org/licenses/by-sa/3.0), for SE to distribute that content (i.e. regardless of your future choices). By SE policy, the non-vandalized version of the post is the one which is distributed. Thus, any vandalism will be reverted. — Makyen, Jan 27 '18 at 22:39

score 2 · Answer 1 · answered Jan 27 '18 at 20:48

2

are there any way to bypass it?

One way to bypass it, is to simply rename the file..

After all, you currently just check for file name parts.

To handle image uploads securely, OWASP suggests using a re-write approach.

In PHP you could do so by loading the image with gd or imagick and saving a new image based on the input. It may sound like a relatively useless step, but it's a pretty safe way to be sure you're actually dealing with an image.

Edit: See also this answer.

answered Jan 27 '18 at 20:48

Stratadox

1,291
8
21

And in addition to the note about saving a new image (with Imagick at least), is you can purge 'junk' from the file, like profiles, previews, comments, xinfo, etc. – IncredibleHat Jan 27 '18 at 20:53
i think there is no way to bypass my code. if you have an example it would be amazing. of course they can hide php codes into their png,jpg files but it cannot be run as a PHP in upload folder. my question is are there anyway to bypass file extension with my code. – mer Jan 27 '18 at 21:08
So long as you don't execute the files, your server is not at risk. Even if the file has a php extension, if you don't run it, it won't harm you. The reason to consider rewriting images is not to protect the server, but to protect your users from attacks on their web browsers through malicious content in the image file. – Stratadox Jan 27 '18 at 22:25

score 0 · Answer 2 · answered Jan 28 '18 at 10:36

I personally would not recommend just checking file extensions alone. Couple points you need to consider based on your current approach:

Imagine, if I upload a file called mypicture.jpg.php would your current if statement logic catch that out? Might be worth a test?
Following (1) if answer was no, then next question would be does your application check if any php code is contained inside the jpg image which could lead to various privilege escalations on the webserver?

Thus, following the previous answer from Stratadox I would also read this OWASP Unrestricted File Upload page. The OWASP link kindly provided by Stratadox focuses more on prevention techniques and the link I provided is more the attacking side. I think combined together this should help.

In summary, you could keep the current file extension checks but maybe expand few more advanced checks inside the if statement. Good suggestion already mentioned above is native PHP image checking functions/libraries e.g. gd or imagick.

NOTE - always research any native PHP image checking functions/libraries for security flaws (Google will help) and ensure you are configuring functions/settings correctly. This is a good practice to get into to make you a more security minded developer (and make some big $) :)

Hope this helps.

Sylarman5 · Answer 3 · 2018-01-27T22:14:37.547

The best way is that:

<?php //A function to return the extension if you'll want use IT
function EXTENSION($sr){
$path_parts = pathinfo($sr);
$exte='.'.$path_parts['extension'];
return $exte;
;}

;?>

    <?php 
//OR Other way
// then test if is a Pic
    list($width, $height, $type, $attr) = getimagesize($_FILES["file"]['tmp_name']); 

    if(preg_match("#.jpg|.jpeg|.png|.gif#i", $_FILES['file']['name']) AND $width > 2 ){
    //Do what you want

    ;}else{
    echo 1;
    die();
    ;}

    ;?>

it very safe like this Bro.

PHP Upload File Extension Security

3 Answers3