How to be sure they are uploading certain files

 

Ok, I am allowing (within a script) for certain types of files to be uploaded via an Forum Admin Defined approach! How can I tell if these files are of the type that the Admin has set to be sure they are not fake files. I currently am using a mime-types approach, but different browsers can set different mime-types, so this doesn't really help much. Checking the file extension doesn't help either, since people can get around this by giving it an extension that is allowed, but would be of a different file type.

Perhaps there is a reference somewhere of a way to check the bytes within many different types of files to be sure that it is of the correct type? Perhaps this can be faked also, but atleast it would be a bit more accurate when using a form to upload files into and submitting them.

Can someone please help me with ideas on this?

Thanks :)

PECL fileinfo (or built-in >5.3) will inspect the byte signatures of files to guess their mimetypes, so it protects against people simply changing the file extension. It is still possible in some cases to include malicious bytes in a file that matches the appropriate byte signature for a filetype.

From the PHP docs: 

// Procedural style
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
echo finfo_file($finfo, $filename);
finfo_close($finfo);

// OO style
$finfo = new finfo(FILEINFO_MIME_TYPE);
echo $finfo->file($filename);
$finfo->close();

On a Unix server, I believe finfo_file() consults the same byte signature database as the GNU file utility.

Don't ever trust user input. Checking for a given filetype/mimetype should never be used as a way to prevent people from uploading malicious content to your server. If the goal is server security, then simply don't allow content to be executed on the server if it's uploaded by a user. For files that other people download, make sure to place a disclaimer that the content was user-generated and is not guaranteed to be virus-free.

链接地址: http://www.djcxy.com/p/7972.html

上一篇: 在PowerPoint 2010中以静默方式编辑嵌入的Excel数据

下一篇: 如何确定他们正在上传某些文件