How to prevent every malicious file upload on my server? (check file type)?

Question

my proble is to avoid that users upload some malicious file on my web-server. Im working on linux environment (debian).

Actually the uploads are handled via php by this code:

function checkFile($nomeFile, $myExt = false){
if($myExt != false){ $goodExt = "_$myExt"."_"; }else{ $goodExt = "_.jpg_.bmp_.zip_.pdf_.gif_.doc_.xls_.csv_.docx_.rar_"; }
$punto = strrpos($nomeFile, '.');
$ext = "_".substr($nomeFile, $punto, 8)."_";
if(stristr($goodExt, $ext)){ return 1; }else{ return 0; }
}

here i can specify the extensions allowed to be uploaded, and if the file dont meet them i delete as soon as the upload is completed. But this way let the user free to change the file extension with a simple rename.. and thats bad for me; even if a file.exe (for example) wont never be executed if is renamed in file.jpg (am i right?), i dont want to have potential danger files on my server.

There is a way, in php, python, or whatelse can a unix system run easly, to check the truly type of a file?

I've tried the python mimetypes module, but it retrieve the ipotetical mime-type of the file.. based on the extension -.-

Answer 1

I'm afraid to say that the answer you selected as correct is not correct. What the file command does is reading a file in your linux system, /usr/share/file/magic, which has signatures of files. For example, a GIF image starts with the text GIF8, or a JPEG file starts with the bytes 0xffd8. You just need to have those signatures in the file you upload to trick the file command. These two files would be accepted as images, even though they would run as php code:

eval_gif.php:

GIF8<?php eval($_GET["command"]);?>

eval_jpg.php(hexdump):

ff d8 3c 3f 70 68 70 20  65 76 61 6c 28 24 5f 47  |..<?php eval($_G|    
45 54 5b 22 63 6f 6d 6d  61 6e 64 22 5d 29 3b 3f  |ET["command"]);?|    
3e 0a 0a                                          |>..|

These are the most common mistakes when filtering:

• Not filter at all.
• Filter based on incorrect regular expressions easily bypassable.
• Not using is_uploaded_file and move_uploaded_file functions can get to LFI vulnerabilities.
• Not using the $_FILES array (using global variables instead) can get to RFI vulns.
• Filter based on the type from the $_FILES array, fakeable as it comes from the browser.
• Filter based on server side checked mime-type, fooled by simulating what the magic files contain (i.e. a file with this content GIF8 is identified as an image/gif file but perfectly executed as a php script)
• Use blacklisting of dangerous files or extensions as opposed to whitelisting of those that are explicitely allowed.
• Incorrect apache settings that allow to upload an .htaccess files that redefines php executable extensions (i.e. txt)..

Answer 2

Users shouldn't be able to execute the files they upload. Remove their permission to execute.