Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I tell if someone's faking a filetype? (PHP)

Tags:

mime-types

php

upload

file-type

I'm programming something that allows users to store documents and pictures on a webserver, to be stored and retrieved later. When users upload files to my server, PHP tells me what filetype it is based on the extension. However, I'm afraid that users could rename a zip file as somezipfile.png and store it, thus keeping a zip file on my server. Is there any reasonable way to open an uploaded file and "check" to see if it truly is of the said filetype?

like image 947
stalepretzel Avatar asked Oct 08 '08 22:10

stalepretzel

6 Answers

Magic number. If you can read first few bytes of a binary file you can know what kind of file it is.

like image 77
Marko Dumic Avatar answered Nov 20 '22 01:11

Marko Dumic

Sort of. Most file types have some bytes reserved for marking them so that you don't have to rely on the extension. The site http://wotsit.org is a great resource for finding this out for a particular type.

If you are on a unix system, I believe that the file command doesn't rely on the extension, so you could shell out to it if you don't want to write the byte checking code.

For PNG (http://www.w3.org/TR/PNG-Rationale.html)

The first eight bytes of a PNG file always contain the following values:

(decimal) 137 80 78 71 13 10 26 10

(hexadecimal) 89 50 4e 47 0d 0a 1a 0a

(ASCII C notation) \211 P N G \r \n \032 \n

like image 42
Lou Franco Avatar answered Nov 20 '22 00:11

Lou Franco

If you are only dealing with images, then getimagesize() should distinguish a valid image from a fake one. 

$ php -r 'var_dump(getimagesize("b&n.jpg"));'
array(7) {
  [0]=>
  int(200)
  [1]=>
  int(200)
  [2]=>
  int(2)
  [3]=>
  string(24) "width="200" height="200""
  ["bits"]=>
  int(8)
  ["channels"]=>
  int(3)
  ["mime"]=>
  string(10) "image/jpeg"
}

$ php -r 'var_dump(getimagesize("/etc/passwd"));'
bool(false)

A false value from getimagesize is not an image.

like image 38
Shoan Avatar answered Nov 20 '22 02:11

Shoan

Check out the FileInfo PECL extension for PHP, which can do the MIME magic lookups for you.

like image 26
Paul Dixon Avatar answered Nov 20 '22 01:11

Paul Dixon

Many filetypes have "magic numbers" at the beginning of the file to identify them, You can read some bytes from the front of the file and compare them to a list of known magic numbers.

like image 2
Nick Avatar answered Nov 20 '22 01:11

Nick

For an exact answer on how you could quickly do this in PHP, check out this question: How do I find the mime-type of a file with php?

like image 1
leek Avatar answered Nov 20 '22 02:11

leek
Sign in to Comment

Related questions

How to setup a wget cron job command
The CURL User Agent
How to duplicate a table with keys & other structure features retained in MySQL?
A PHP/pthreads Thread class can't use array?
php numeric array select values greater than a number and lower than another and save it to a new array
build json array in php dynamically
replace multiple spaces in a string with a single space
MongoDB group by hour
Symfony2: Entity form field with empty value
PHPStorm - Method not found in subject class
How to use AWS SQS/SNS as a push notification queue for heavy processing tasks via PHP?
How to store multi select values in Laravel 5.2
Carbon: Get start and end date of week when knowing week in year and year
Class 'MongoDB\Client' not found, mongodb extension installed
Laravel validator and excel files error
Carbon (laravel) deal with invalid date
Laravel 5 : Parse error: syntax error, unexpected '?', expecting variable (T_VARIABLE)
How to validate without request in Laravel
How do I implement a HTML cache for a PHP site?
Best way to initiate a download?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!