Good Morning,
I am thinking of letting users upload files to my website. I already have a php script to allow this which will be the back-end of a flash GUI. I have made the .swf which would allow the browser to find files with only the specified file-types for the download to begin. The checks and balances in the actionscript would check file size and extension value. And not upload if these two are not in compliance with both. The php script takes the the file extension and will not upload if the file extension is not one of the checks. the script also takes three random values in the data of the tmp file and md5 hashes them to make the file name and then the extension is appended to the file name which is then put into a database with the original file name. heres a quick summary of the flash and php file functions.
Flash

  • checks file extension
  • checks file size

php file

  • checks if file has been uploaded to temp if yes then
  • splits file name into array and pops of the last array and checks if the file extension is allowed if yes then
  • Checks file size so not to exceed php.ini limit if yes then
  • goes through tmp file and selects three random to md5 hash and add extension
  • checks database to see if the file has already been uploaded
  • inserts values into database
  • a bunch of elses for error codes

Should I save these files without the extension and add the extension only when called?
I eventually want my users to view these files in flash so I will probably print up an XML.
now my questions are :
Should I put these uploaded files in my cgi-bin?
If so lets say I have videos or some sort of other file type will I be able to stream from my cgi-bin?
How does someone make a file with a friendly extension and use it with a different scripting
language? ( I don't really want to know how to do it just the factors so I can safeguard against it)

Now I know their is no 100% safe upload script, but such as life their is no perfect just to strive for perfection. Any input would help.
thanks,
Dave

Hi Dsiembab,

Should I save these files without the extension and add the extension only when called?

It shouldn't really make a difference if you keep them out of the web root and set appropriate permissions on them.

Should I put these uploaded files in my cgi-bin?

No, put them outside the web root altogether and grant them the most restrictive permissions possible while still making them readable by PHP or whatever will be streaming/delivering them.

If so lets say I have videos or some sort of other file type will I be able to stream from my cgi-bin?

If PHP/streamer/etc has permissions to read the files, yes.

How does someone make a file with a friendly extension and use it with a different scripting
language?

Can you elaborate on "friendly extension?" Is this friendly extension for the uploaded files?

Also, make sure you are not *just* checking the file extension and that you *are* using mime type checking as an extra measure of security.

Can you elaborate on "friendly extension?" Is this friendly extension for the uploaded files?

Also, make sure you are not *just* checking the file extension and that you *are* using mime type checking as an extra measure of security.

yes basically the php file checks if the extension is the one I will allow for upload
i.e.

if(is_uploaded_file($file[0]))   
{
$lower=strtolower($file[1]);
$ext = explode(".",$lower);
$ext1 = array_pop($ext);

$file[0] being $FILE and $file[1] being $_FILES
and then I check $ext1 against the files I am allowing to upload. i.e ("wav", "wma", ect,.)


What I meant by friendly extension, from what I have read someone could make a perl script to fake the file extension and the mime type. Should I use preg-match and search for <?php #!/usr/bin/perl <? (if short tags are enabled) and see if these exist in the file and if they do, not upload the file?

the information I have read is from this Secure file upload in PHP web applications

Hi Dsiembab,

That sounds like a great plan (ie. using regular expressions to check for perl junk).

And/Or if you are running on a Linux system (unless you have Perl installed on a Windows server), you can set a permission mask to not allow executing files where you are storing your uploaded files. chmod -Rv -x /var/uploadedfiles will take care of that for you. Also, investigate setting permission masks so that any file that goes into that directory becomes un-executable.

The extension checking scheme you've posted is about as bulletproof as it get's for extension checking.

You could also (if you wanted an added layer of security) use a program like mencoder or some other program (that can read information about many multimedia file types) to output information about the file (bitrate, samples, fps, etc) that would only appear if it was truly a valid format and returns an error code if it isn't. Run the file through the program (using system, exec, or passthru perhaps) and if it returns an error code, scrap the file and present an error to the user showing them that they aren't as clever as they thought they were.

The aforementioned are just a couple ideas but it sounds like you are definitely on the right track.

By the way, could you post the link to the information regarding perl attacks via file uploads? I'm sure everyone on the site would be grateful :)

it's in the url I put in my last post but here it is again. Secure file upload in PHP web applications The url is so long because it is a pdf converted to html by google it basically goes through the implemetation of a php upload script with several scenarios on a potential attack going from basic php upload to advanced php upload scripts I found it pretty informative. And it did suggest what you suggested. Thanks

And/Or if you are running on a Linux system (unless you have Perl installed on a Windows server), you can set a permission mask to not allow executing files where you are storing your uploaded files. chmod -Rv -x /var/uploadedfiles will take care of that for you. Also, investigate setting permission masks so that any file that goes into that directory becomes un-executable.

So I should chmod 666 the directory and 644 the files I put in them?

This article has been dead for over six months. Start a new discussion instead.