Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Reliability of Mimetypes in Uploads (PHP)

Tags:

mime-types

security

php

file-upload

mime

I've had this question for a while: how exactly is the mime type of a file determined? I believe this is done by checking if specific bytes of the file contain any of the known magic numbers / file signatures, right?

If so, this poses another question, lets say I upload a bash script with a fake GIF file signature to a website that only allows images to be uploaded, what is going to happen? Either:

  1. the mimetype detection routine is smart enough to detect fake signatures, or
  2. image/gif is wrongly returned as the mimetype and the upload is allowed to continue

I don't have an HEX editor installed ATM, and I don't like to form security-related conclusions from tests as I might miss (or misinterpret) something, so my question is: which one of the above options is correct?

Also, are there any other best practices (besides checking the mimetype) to assure that any given file is in fact what it seems / needs (or is allowed) to be? Thanks in advance.

PS: Just to be clear, I'm not asking about the type index in the $_FILES superglobal.

like image 337
Alix Axel Avatar asked May 14 '11 06:05

Alix Axel

2 Answers

My understanding is the MIME determination routines in the file upload code are extremely crude and that the MIME type in the $_FILES array simply can't be trusted. It's been my experience that it's easily foxed.

You're better off using the Fileinfo library, which provides more robust file type detection.

http://www.php.net/manual/en/ref.fileinfo.php

like image 176
GordonM Avatar answered Sep 23 '22 06:09

GordonM

If you're talking about $_FILES['userfile']['type'] then this information is sent by the browser. It may or may not be present and even if its present you should treat it just like any other user input.

If you're interested in checking for images you can use the getimagesize function to determine file type. This function returns NULL for images it cannot understand. Even if it returns a valid image type you can still reject the file e.g. if you're expecting GIF and JPEGs and you get a TIFF instead.

Also, a webserver will determine whether to execute a file of not depending on file permissions (the execute bit and the shebang line) and file extension. If you keep a check on these two you're probably OK.

like image 45
Salman A Avatar answered Sep 25 '22 06:09

Salman A
Sign in to Comment

Related questions

group large set of images
flush() doesn't work in Firefox 4
Does anyone know of any open source availability / scheduling systems? [closed]
Any good Zend Framework + Minify implementations?
PHP Automated Deployment and Testing
CSRF token for ajax
PHP JSON response contains HTML headers
SQL: Find next row in a where clause given an ID
PHP-MySQL developer transitioning to PostgreSQL. What do I need to know?
Session token - how does it work?
Enabling GD in PHP on linux for imagecreatefromstring function and sending email
Is it possible for a PHP file to delete itself on execution?
Is application/octet-stream a safe MIME type to accept when accepting CSV files?
ASIHTTPRequest post json to php server
Facebook API Responses Very Slow (oAuth)
PHP sent emails have =0A=0A instead of new lines
Using git and submodule, what's a good folder structure?
PHP Facemash ELO Rating Class/Function
How can I execute XPath queries on DOMElements using PHP?
PHP ldap - Strong(er) authentication required

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!