How to ensure that an uploaded file is an MS Word document?

Question

I'm thinking of saving uploaded docs to a folder outside the webroot and feeding the downloads with a script using readfile(file).

However, I'm wondering if the the following would be enough to remove any kind of threats there could be:

$filename = basename($_FILES['uploaded_file']['name']);
$ext = substr($filename, strrpos($filename, '.') + 1);
if (($ext == "doc") && ($_FILES["uploaded_file"]["type"] == "application/msword"))
{
execute rest of the code
}

I've read people recommended using finfo_open(), but my server is under php 5.3.0 so I can't use it. I've tried using mime_content_type() but it will always throw me a "text/plain" with any kind of file I send through (I don't know if I'm doing something wrong with that).

Is there anything I could add to make this a more secure process?

Answer 1

One issue you will inevitably come across is that browsers can tag a file's mime-type inappropriately. For example there is a common Firefox bug that can tag most files as application/octet-stream even though the file genuinely is a doc or pdf, or xls file, etc. The 'safest' thing to do is scan the file server side, which should also include a virus check. However if you have limited server access you may not be able to do this.

I've used ClamAv (http://www.clamav.net/lang/en/) in the past to do this.

See http://sourceforge.net/projects/php-clamav/ for more details.