How do I validate that an uploaded file is a video?

Question

I have a server that has some very sensitive information on it, so security is a big issue. The user needs to be able to upload a video. I know allowing users to upload files poses a security threat because there is no 100% way to keep them from uploading non-videos. But I obviously can choose which files the server will keep.

I know that checking the file-extension won't suffice. Checking the MIME type is better but it can still be faked. So how do I go about checking if the file is a video?

Answer 1

Play it!

Only way to be sure is to have some code that decodes videos of the type in question, take a look at it (and check there's sensible results, like a non-zero duration).

Otherwise though, your risks are low:

Non-malicious scenario:

1. Uploader uploads video, with a video/* content-type.
2. You store the octets and content-type.
3. Downloader downloads video, and you use the content-type you received.
4. Downloader watches video (or grumbles about codecs, etc.)

Malicious scenario 1:

1. Uploader uploads a nasty trojan, with a video/* content-type.
2. You store the octets and content-type.
3. Downloader downloads nasty trojan, and you use the content-type you received.
4. Downloader opens nasty trojan in video player. Nasty trojan does nothing because it's not a video. User grumbles about codecs. Worse case scenario is, they write rant on ubuntu forums about lack of support for proprietary formats, adds ill-spelt comments on your page about how the site sucks because the video didn't work, etc.

Malicious scenario 2:

1. Uploader uploads nasty trojan that is written into a video that exploits some buffer-overflow issue with a popular video player.
2. You store...
3. Downloader...
4. Could just be like one of the above, but it could also be that they get hit by the exploit (if they're using the affected player).

Three things to note about scenario 2 though:

1. Testing it's a video won't guarantee safety, as it could well have also work fine in some players.
2. Testing it's a video could make your server vulnerable to the exploit, if the vulnerability is in ffmpeg!
3. Exploits of this type are both rare, and hard to do. The general risk is the same as uploading and downloading jpegs or pngs. Indeed it's a bit smaller (there was indeed an exploit of this type affecting commonly-used jpeg libraries for a while).

In all, just make sure you only output with the content-types you accept, and force file-extensions to match them; if the user uploads a video/mpeg called hahaha.exe, then rename it hahaha.mpg

Edit: Oh, also:

Malicious scenario 3:

Uploader uploads video that exploits some players in a way that uses a lot of resources. In this case a downloader will just kill-9/ctrl-alt-delete/your-OSs-kill-them-all-of-choice, but if your server is testing it's a video, then it could end up in trouble as there's no one on hand to step in and kill the 200 (and growing as the script-kiddies's script keeps uploading more) "videos" it's trying to interpret.

Just doing normal video-processing could be enough to introduce the ability to DoS you (video processing is relatively heavy after all), so testing the file could introduce more dangers than it saves you from.