Safely uploading files

Re: Safely uploading files

Geoff Berrow wrote:Handling file uploads: http://nl.php.net/manual/en/features.file-
upload.php

It depends on your case how you would check the uploaded file. In any
case, you do not want to allow uploading .php files to a location which
allows executing them.

If you want to allow only a certain type of files you may find the unix
'file' command useful, which tries to determine the file type from the
content of a file. If you only allow images, you may use GD or
ImageMagick to check whether the images are valid. However, this would
still allow things as the JPEG/GDI+ exploit, where it is possible to
upload a malicious file as a valid JPEG.

What files do you want to allow?

Re: Safely uploading files

Message-ID: <2bb36$48bed246 $50386f7f$21534 @news.chello.nl from Sjoerd
contained the following:
..doc .docx and .ppt
--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011
http://slipperyhill.co.uk - http://4theweb.co.uk

Re: Safely uploading files

On 3 Sep, 23:51, Geoff Berrow <blthe...@ckdog .co.ukwrote:And you want to make sure they're not malware?

Short answer is you can't: this is why a lot of people don't like
Microsoft's products and file formats, or inded any proprietary
formats.

You could run a virus checker on them and keep your fingers crossed.

Normally I'd recommend converting them to a different format (e.g. PNG
to TIFF) then, optionally converting them back again, and there are
tools like wv which will convert .doc files without too uch loss of
information to HTML, or if you're realy masochistic use the automation
features in OpenOffice.

C.

Re: Safely uploading files

Geoff Berrow wrote:
If the intent is to keep someone from executing something on your
server, I upload the file to a directory that is NOT in the htdocs
directory structure and is not visible to the web server except via your
php script therefore preventing them from crafting something that will
execute it.

I used something I copied from someoneelse searching for "php upload
multiple files".

I also do not use MAC, Windows or UNIX which allows me much more control
over where/when/how/who can access files.

Re: Safely uploading files

Message-ID: <LV0wk.36598$co 7.20614@nlpi066 .nbdc.sbc.comfr om Michael
Austin contained the following:

I do that too but I have more problems than that. Academics login
(using a previously verified email address) and upload papers. The
files are checked to see that they are of the allowable filetypes and
then renamed and saved in a folder above the webroot.. The trackleaders
then log in and can download the papers for evaluation.

So, not only do I need to protect the server, I'd like to protect the
trackleaders as well. Or should I write a disclaimer saying I can't be
responsible for the content?
--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011
http://slipperyhill.co.uk - http://4theweb.co.uk

Re: Safely uploading files

Geoff Berrow wrote:You definitely need a disclaimer. No matter how much you check them,
you can always miss something. And you don't want to get sued because
someone plagiarized someone else's work.

And you won't be able to tell for sure what type a document is. For
instance, you can't be 100% assured this is a MS Word doc. You can get
close with a lot of work, but never 100%.

My suggestion would be to parse the file for things like <?php, etc.
Definitely run a virus scanner against the file. If you don't find
anything dangerous, continue the processing. Otherwise reject the
upload and tell the user why.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===