How to be sure they are uploading certain files

Question

Ok, I am allowing (within a script) for certain types of files to be uploaded via an Forum Admin Defined approach! How can I tell if these files are of the type that the Admin has set to be sure they are not fake files. I currently am using a mime-types approach, but different browsers can set different mime-types, so this doesn't really help much. Checking the file extension doesn't help either, since people can get around this by giving it an extension that is allowed, but would be of a different file type.

Perhaps there is a reference somewhere of a way to check the bytes within many different types of files to be sure that it is of the correct type? Perhaps this can be faked also, but atleast it would be a bit more accurate when using a form to upload files into and submitting them.

Can someone please help me with ideas on this?

Thanks :)

Answer 1

PECL fileinfo (or built-in >5.3) will inspect the byte signatures of files to guess their mimetypes, so it protects against people simply changing the file extension. It is still possible in some cases to include malicious bytes in a file that matches the appropriate byte signature for a filetype.

From the PHP docs:

// Procedural style
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
echo finfo_file($finfo, $filename);
finfo_close($finfo);

// OO style
$finfo = new finfo(FILEINFO_MIME_TYPE);
echo $finfo->file($filename);
$finfo->close();

On a Unix server, I believe finfo_file() consults the same byte signature database as the GNU file utility.