Menu
Let's say you could upload any file you wished to a server, but the file extension MUST be ".jpg". Would you be able to upload anything that could harm the server?
The point of my question is that file type verification is slow, and I would rather only have to check the file extension if that is secure enough. I am having trouble imagining a scenario where malware disguised as an image could be used.
I have seen recommendations for using getimagesize() to verify an image, but this function is pretty slow, and I cannot figure out if it is necessary, or even effective, for preventing malware uploads...
Any information on this is greatly appreciated.
852
Just check if it starts with image/ . String fileName = uploadedFile. getFileName(); String mimeType = getServletContext(). getMimeType(fileName); if (mimeType.
Uploading is the transmission of a file from one computer system to another, usually larger computer system. From a network user's point-of-view, to upload a file is to send it to another computer that is set up to receive it.
What are file upload vulnerabilities? File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.
For testing the security of images, I really only use one method: just re-create the image with GD or whatever image processing library you're using, and use the new image.
This should make the file perfectly secure if you have updated versions of your library.
It may make your stuff a bit slower, but the safer the better.
Just checking if there is a '.jpg' at the end of a file name will do nothing. The file can still be any type of file.
Hope this helped!
106
It seems like only checking the extension is unsafe. Harmful to the server? Hard to say, without knowing the server OS, permissions on the uploaded files, etc.. You definitely don't want to allow these to be executed. It's certainly easily abused by allowing users to upload non-images, then they just rename to what it really is when their friends download it. This is how you find yourself unwittingly hosted pirated movies, warez, etc..
42
If you think getimagesize() is a bit too slow (because all uploads are done in super highspeed as we know ;) ) you can try the fileinfo library as well. It inspects at least some bytes within the file. It's pretty fast, I use it every day for hundreds of files in an app that should run speedy and it does.
However, what you don't verify you don't know. So probably first checking extension, ensure a safe filename and a safe store and that they are properly send out to the client.
Before letting any image library touch it (and this should include those on the computers of your site's users), for security reasons the file should be scanned by a virus scanner. That's much more slow compared to getimagesize(), others suggest to take a look into the file for any occurance of <?php as well to prevent uploading as payload. Naturally this includes checking for phar files if inclusion is not prevented via the PHP installations security settings (e.g. by suhosin)
Next to on-demand virus scanning, stored files should be checked from time to time again and again because of formerly unknown exploits.
So part of this is always a background job. But even the on demand real-time checks often do not take that much time unless your application does uploads all the time. You might want to introduce some upload-queue, so the upload is already done but the file get's available to the uploader after the necessary tasks have been run.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
