2

It is said in many article about securing file upload that it is better to prepare a white list of extension instead of a blacklist. But it seems this method has some problem with double extension files. For example I have a whitelist like 'pdf','doc','docx' but this white list return true for apple.php.doc or apple.doc.php .

How can I write a secure extension check function?

hd.
  • 17,596
  • 46
  • 115
  • 165
  • 3
    and what's wrong with `apple.php.doc`? – zerkms Jan 09 '12 at 05:21
  • 1
    Where would a 'double-extension' like this be a problem? I don't use windows much anymore, but I don't imagine the `.php` (or even a `.exe`) before the `.doc` would mean anything significant to the os or any programs. (obviously the apple.doc.php could potentially present a problem.) – Adam Wagner Jan 09 '12 at 05:25
  • So the last extension should be validated.yes? – hd. Jan 09 '12 at 05:37
  • @hd.: there is no first or last extension. There is just a name and extension. And sometimes name contains `.` dot char – zerkms Jan 09 '12 at 05:38
  • 1
    @zerkms: ut the apache accept multiple extension.it accepts apple.php.123 and because 123 is not a valid extension ignores it and considers .php – hd. Jan 09 '12 at 05:41
  • @hd.: nope, apache doesn't do that – zerkms Jan 09 '12 at 05:43
  • 1
    @zerkms: I create a file with this name test.php.123 and wrote an echo 'Hi'; command in it and browsed to it.the php code is executed and string 'Hi' is displayed on page (I use Ubuntu) – hd. Jan 09 '12 at 05:48
  • @hd.: it is not default and expected apache behaviour. Most likely it is some weird ubuntu apache settings :-S – zerkms Jan 09 '12 at 05:54
  • ummm .. But it is enable by default on all of our debian and ubuntu server after installing Apache.Everybody should beware of it ! anyway... thank you zerkms :) – hd. Jan 09 '12 at 06:01
  • 1
    @hd.: actually thank you for the question, looks like it is interesting behaviour I didn't know ;-) – zerkms Jan 09 '12 at 06:05

2 Answers2

3

Use this code to check if extension is good:

$valid_exts = array('doc', 'pdf');
if (in_array(pathinfo($filename, PATHINFO_EXTENSION), $valid_exts)) {
     // everything is fine
} else {
     // not fine
}
zerkms
  • 249,484
  • 69
  • 436
  • 539
0

you should try to understand the reasons for this, your question doesn't make any sense.

the reason you shouldn't allow any particular extension is that some webservers (like Apache) determine the way the files are server based on them, of course that only applies to files within the directories they're serving publicly but most of the time the uploaded files go there so what happens when you allow an extension that the server will execute like .php is that it allows random people on the web to inject code on your site.

that doesn't happen for .php.doc because the extension is still .doc and the server will treat it like that.

it's worth mentioning that one can configure the webserver to not execute certain files within a directory but it's not the default and few people actually do so.

Samus_
  • 2,903
  • 1
  • 23
  • 22
  • check double extension information here: www.acunetix.com/websitesecurity/upload-forms-threat/ add AddHandler php5-script .doc to httpd.conf and file.php.doc will executed – carlos Jan 07 '15 at 15:05