How to protect upload php files against shell script

Asked

Viewed 311 times

0

How can I protect sending php files against shell script, knowing that I only accept one type of extension.

1 answer

3


Instead of checking the extension you can check the contents using the PHP API called fileinfo, as I showed in this reply /a/73497/3635

Note that in PHP5.3 (although rare some servers still use it) we did not have Fileinfo, but we had mime_content_type (in the documentation does not speak if it is in disuse), so I put as fallback, if a function is available use it, if it does not try the oldest, however both always see enabled.

Example:

<?php

function mimeType($file)
{
    $mimetype = false;

    if (class_exists('finfo')) {//PHP5.4+
        $finfo     = finfo_open(FILEINFO_MIME_TYPE);
        $mimetype  = finfo_file($finfo, $file);
        finfo_close($finfo);
    } else if (function_exists('mime_content_type')) {//php5.3 ou inferiror
        $mimetype = mime_content_type($file);
    }

    return $mimetype;
}

//Libere aqui os tipos permitidos
$validos = array( 'image/jpeg', 'image/png', 'image/gif', 'text/plain' );

$location = 'uploads/';
$arquivo = $_FILES['file'];

if ($arquivo) {
    $name = $arquivo['name'];
    $tmp_name = $arquivo['tmp_name'];

    if ($_FILES['file']['error'] !== UPLOAD_ERR_OK) {
        echo 'Erro ao fazer o upload:', $error;
    } else {
        //Pega o mimetype
        $mimeType = mimeType($tmp_name);

        //Checa o mimetype com o array
        if (!in_array($mimeType, $validos)) {
            echo 'Formato de arquivo invalid';
        } elseif (move_uploaded_file($tmp_name, $location . $name)) {
            echo 'Upload completo';
        }
    }
}
  • 1

    thank you very much friend :)

  • OK I’ll test now in the morning

  • I believe that you are not getting the mime properly, always falls into the function saying that it is invalid, even being a file allowed

  • Ué retorno: bool(false)

  • I believe you do not have mime type in version 5.2 of php

  • I’m changing the script to newer verses, it’s very old has many deprecated functions, I’m updating, so I will use fileinfo even

  • yes are old functions same, eregi ereg, variables displayed as Undefined, but I am already adjusting, it is better even than being limited, the scripts were created in 2006 :)

  • http://pastebin.com/k6xdEswX

  • @Jeffersonmelloolynyki has not used php5.2 for a while, but he tries to remove the ; of this line ;extension=php_mime_magic.dll leaving so extension=php_mime_magic.dll and restarts Apache/Wamp/Xampp and see if it works

Show 5 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.