4 Replies - 445 Views - Last Post: 18 July 2012 - 08:31 AM Rate Topic: -----

#1 notice88  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 83
  • Joined: 21-December 11

How can I prevent users from uploading malicious php Code?

Posted 17 July 2012 - 05:10 PM

My system has a file upload and you can view it in the browser. In the file upload, I'm depending on the file extension if the file is a pdf file or not. What if the user uploaded a php file and tried a code like information schema to view all tables in database and delete it? even if I restrict pdf files they might find a way to change the the ext and change it while uploaded
Is This A Good Question/Topic? 1
  • +

Replies To: How can I prevent users from uploading malicious php Code?

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: How can I prevent users from uploading malicious php Code?

Posted 17 July 2012 - 05:29 PM

move_uploaded_file() can alter the filename/extension to anything you like. If you always forced it to a .txt file for example, it would never execute on the server.
Was This Post Helpful? 3
  • +
  • -

#3 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3635
  • View blog
  • Posts: 5,756
  • Joined: 08-June 10

Re: How can I prevent users from uploading malicious php Code?

Posted 18 July 2012 - 01:41 AM

If you want to verify that the file is actually a PDF, beyond just checking the file extension, you can do that in a couple of ways.

First, you can use the FileInfo extension to fetch the actual mime-type of the uploaded file. You can then use that to cancel the upload script before the file can be properly stored and made visible.

For example, using the FileInfo extension, you could do this:
// Create a new finfo object to checks mime-types.
$fi = new finfo(FILEINFO_MIME_TYPE);

// Fetch the mime-type for the uploaded file.
$fileType = $fi->file($_FILES['pdf_file']['tmp_name']);

// Make sure it's a PDF file.
if ($fileType !== 'application/pdf') {
    die("We only accept PDF files!");
}



If that option isn't available to you, you can also use another method to filter out any non-PDF files. All valid PDF files should start with the string %PDF as the first four bytes. You can, therefore, eliminate all non-PDF files based on that.
// Read the first four bytes of the file.
$fileHeader = file_get_contents($_FILES['pdf_file']['tmp_name'], false, null, 0, 4);

// Check if they match a valid PDF file.
if ($fileHeader !== "%PDF") {
    die("We only accept PDF files!");
}


Was This Post Helpful? 3
  • +
  • -

#4 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1001
  • View blog
  • Posts: 3,555
  • Joined: 05-June 09

Re: How can I prevent users from uploading malicious php Code?

Posted 18 July 2012 - 05:44 AM

Obviously enabling safe_mode is the only real path to true PHP security, so do that first.

But in addition to this and the above comments regarding forcing the extension to a certain type, and detecting the filetype, you could also do the following option and simply whitelist extensions.

For example, if you only allow .pdf, then you can check for that. If that's the only extension you allow, and you rename it to the original filename (which is now sanitised with that ending) it's not going to change to .php (for example) to be able to execute on the server, it will stay as a .pdf.
Was This Post Helpful? 1
  • +
  • -

#5 AdaHacker  Icon User is offline

  • Resident Curmudgeon

Reputation: 452
  • View blog
  • Posts: 811
  • Joined: 17-June 08

Re: How can I prevent users from uploading malicious php Code?

Posted 18 July 2012 - 08:31 AM

View PostRudiVisser, on 18 July 2012 - 08:44 AM, said:

Obviously enabling safe_mode is the only real path to true PHP security, so do that first.

I'm going to go ahead and assume you forgot the <sarcasm> tags or winking emoticon there. For anyone who took that seriously, safe_mode isn't a solution because it was deprecated in PHP 5.3 and has been removed in PHP 5.4. It was removed because it was an architecturally bad solution used primarily by crappy hosting providers who were too lazy to properly secure their environments. Don't rely on it.

Getting back to the question at hand, many of the above recommendations are trying to solve this at the wrong level. Why not just use the obvious solution - never run those files through PHP. If you serve them in such a way that they're never passed to PHP or any other interpreter, then you have nothing to worry about. File extension is irrelevant if the file can never be executed.

There are a few ways to do this. One would be to store the files in a directory that's not web-accessible and serve them out through a PHP script that just reads the file and dumps the output to the client. This is trivially accomplished using something like readfile() and is a very common technique. Another way would be to just reconfigure your webserver. You could still store the files in a web-accessible location, but set your server to disable PHP, CGI, etc. for that directory/vhost. Either way, the point is that you're setting things up such that even if a malicious script gets uploaded, your server will never execute it.

This post has been edited by AdaHacker: 18 July 2012 - 08:32 AM

Was This Post Helpful? 1
  • +
  • -

Page 1 of 1