Re: File upload security

---

• From: Justin Koivisto <justin@xxxxxxxxx>
• Date: Wed, 27 Jul 2005 14:10:59 GMT

---

Geoff Berrow wrote:

> I've written a script which takes a couple of user image files and uses
> them to create a watermarked image.
> http://www.ckdog.co.uk/watermark.php
>
> I'm checking the images like so:
>
> if(!empty($_FILES['pattern']['tmp_name']) ){
> if(is_uploaded_file($_FILES['pattern']['tmp_name'])){
> if(
> !$patternsize=getimagesize($_FILES['pattern']['tmp_name'])){
> header('Location: watermark.php?nosize=2');
> exit;
> }
> $patt=$_FILES['pattern']['tmp_name'];
> }
> }
>
> It has been suggested to me that this is still insecure as people could
> use 'character substitution hacks' to upload files to the tmp directory.
>
> Comments?

I usually start out like this (from the top of my head, not tested)...

$IMG_PROCESSED=FALSE;
if( isset($_FILES['pattern'])
&& isset($_FILES['pattern']['error'])
&& $_FILES['pattern']['error']==0
){
// this tells me that the file was uploaded via my script
if(file_exists($_FILES['pattern']['tmp_name'])){
// the file exists
if($size=getimagesize($_FILES['pattern']['tmp_name'])){
// See notes below
$IMG_PROCESSED=TRUE;
}
}
}

if(!$IMG_PROCESSED){
// whatever error stuff needs to be done goes here
}

The next steps I usually do involve checking that the image type is
something that I am expecting and that the server's PHP/GD install can
handle. Once I have decided that everything is OK, I set the
$IMG_PROCESSED variable to boolean true.

To be honest, I haven't really dealt with character substitution hacks
because it has never come up for me. However, I don't see how character
substitution would get by checking with file_exists, getimagesize, and
then parsing the output from getimagesize... If that is still insecure,
I'd like to hear about that. (Perhaps Chris Shiflett would be the one to
really answer that question...)

--
Justin Koivisto, ZCE - justin@xxxxxxxxx
http://koivi.com
.

---

• References:
  • File upload security
    • From: Geoff Berrow

• Prev by Date: Re: Show countdown from 10 to 0 seconds
• Next by Date: Re: turn off register_globals on a shared server
• Previous by thread: File upload security
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: SW for visitors to upload pictures and descriptions. ... Try a Google search using "cgi scripts upload files real estate" and you ... features that you probably want to look for. ... The script referenced above ... (microsoft.public.frontpage.programming) Re: FTP batch client and XP firewall problem ... > I'm having trouble getting a batch script to upload files to a remote ... > via ftp. ... I tried opening the firewall for ftp.exe but that didn't work. ... > Eventually, I just temporarily disabled the XP firewall, ran the script ... (microsoft.public.windowsxp.security_admin) Re: upload download linux solution ... > Does anyone know any script that will alow users to upload files to a ... > web shared folder, and the securly allow other users to access this ... (comp.os.linux.misc) upload download linux solution ... Does anyone know any script that will alow users to upload files to a ... web shared folder, and the securly allow other users to access this ... (comp.os.linux.misc) Re: how can I tell if a remote file is an image ... > I've written a link aliasing script that allows users to rewrite urls ... The crux of the script is the following: ... > customer run it under php4.2.2 and the getimagesize is taking approx. ... (comp.lang.php)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)