What's the purpose of is_uploaded_file()?

Question

Docs say:

Returns TRUE if the file named by filename was uploaded via HTTP POST

How could $_FILES['blah']['tmp_name'] possibly not be the result of a POST upload? PHP created this filename.

This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.

I understand that I should carefully check the file contents and size. But how could an attacker control whatsoever the temp filename of the uploaded file?

Or does is_uploaded_file() do some other checks?

Thanks for shedding some light.

Answer 1

In its current form, is_uploaded_file checks that file uploads are enabled (otherwise it cannot possibly be an uploaded file) and that the provided filename has in fact been generated by PHP (I know this from looking at the source).

This is not really helpful, since if there was no problem during the upload then

is_uploaded_file($_FILES['blah']['tmp_name'])

would always return true.

However, consider that $_FILES has "only" been available since PHP 4.1.0, while is_uploaded_file appeared first with PHP 4.0.3. The conclusion that seems logical here is that it was kind of hard to get uploaded file handling working securely before the $_FILES superglobal was made available. If nothing else, non-superglobals can be injected into, and very easily so with register_globals enabled -- which used to be another sore point with the security of PHP.

If one is writing code today and using $_FILES like one is supposed to, then I 'd say is_uploaded_file in its current implementation is "useless" because there's no attack vector that can trick you into processing a "bad" file.

However, there's also another way of looking at things: is_uploaded_file is guaranteed to work correctly now and in the future, for as long as it's available, regardless of what the mechanics of uploading files and making them available to the programmer are. Maybe right now it does not provide anything concrete, but it's an abstraction over the concept of "secure file upload" that comes with a guarantee. I would think that there is no such guarantee for $_FILES (again, even though I 'd consider it a regression if the current status quo changes "for the worse").

Answer 2

Well, you can pass any string to is_uploaded_file.

Sure, if you pass it something straight out of $_FILES then yes of course it'll always return true, but if you form the argument yourself then it may not.