When you start working on a secure image upload script, there are many things to consider. Now I’m no where near an expert on this, but I’ve been asked to develop this once in the past. I’m gonna walk through the entire process I’ve been through here so you can follow along. For this I’m gonna start with a very basic html form and php script that handles the files.
HTML form:
<form name="upload" action="upload.php" method="POST" enctype="multipart/form-data">
Select image to upload: <input type="file" name="image">
<input type="submit" name="upload" value="upload">
</form>
PHP file:
<?php
$uploaddir="uploads/";
$uploadfile = $uploaddir . basename($_FILES['image']['name']);
if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
echo "Image succesfully uploaded.";
} else {
echo "Image uploading failed.";
}
?>
First problem: File types
Attackers don’t have to use the form on your website to upload files to your server. POST requests can be intercepted in a number of ways. Think about browser addons, proxies, Perl scripts. No matter how hard we try, we can’t prevent an attacker from trying to upload something they’re not supposed to. So all of our security has to be done serverside.
The first problem is file types. In the script above an attacker could upload anything they want, like a php script for example, and follow a direct link to execute it. So to prevent this, we implement Content-type verification:
<?php
if($_FILES['image']['type'] != "image/png") {
echo "Only PNG images are allowed!";
exit;
}
$uploaddir="uploads/";
$uploadfile = $uploaddir . basename($_FILES['image']['name']);
if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
echo "Image succesfully uploaded.";
} else {
echo "Image uploading failed.";
}
?>
Unfortunately this isn’t enough. As I mentioned before, the attacker has full control over the request. Nothing will prevent him/her from modifying the request headers and simply change the Content type to “image/png”. So instead of just relying on the Content-type header, it would be better to also validate the content of the uploaded file. Here’s where the php GD library comes in handy. Using getimagesize(), we’ll be processing the image with the GD library. If it isn’t an image, this will fail and therefor the entire upload will fail:
<?php
$verifyimg = getimagesize($_FILES['image']['tmp_name']);
if($verifyimg['mime'] != 'image/png') {
echo "Only PNG images are allowed!";
exit;
}
$uploaddir="uploads/";
$uploadfile = $uploaddir . basename($_FILES['image']['name']);
if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
echo "Image succesfully uploaded.";
} else {
echo "Image uploading failed.";
}
?>
We’re still not there yet though. Most image file types allow text comments added to them. Again, nothing prevents the attacker from adding some php code as a comment. The GD library will evaluate this as a perfectly valid image. The PHP interpreter would completely ignore the image and run the php code in the comment. It’s true that it depends on the php configuration which file extensions are processed by the php interpreter and which not, but since there are many developers out there that have no control over this configuration due to the use of a VPS, we can’t assume the php interpreter won’t process the image. This is why adding a file extension white list isn’t safe enough either.
The solution to this would be to store the images in a location where an attacker can’t access the file directly. This could be outside of the document root or in a directory protected by a .htaccess file:
order deny,allow
deny from all
allow from 127.0.0.1
Edit: After talking with some other PHP programmers, I highly suggest using a folder outside of the document root, because htaccess isn’t always reliable.
We still need the user or any other visitor to be able to view the image though. So we’ll use php to retrieve the image for them:
<?php
$uploaddir="uploads/";
$name = $_GET['name']; // Assuming the file name is in the URL for this example
readfile($uploaddir.$name);
?>
Second problem: Local file inclusion attacks
Although our script is reasonably secure by now, we can’t assume the server doesn’t suffer from other vulnerabilities. A common security vulnerability is known as Local file inclusion. To explain this I need to add an example code:
<?php
if(isset($_COOKIE['lang'])) {
$lang = $_COOKIE['lang'];
} elseif (isset($_GET['lang'])) {
$lang = $_GET['lang'];
} else {
$lang = 'english';
}
include("language/$lang.php");
?>
In this example we’re talking about a multi language website. The sites language is not something considered to be “high risk” information. We try to get the visitors preferred language through a cookie or a GET request and include the required file based on it. Now consider what will happen when the attacker enters the following url:
www.example.com/index.php?lang=../uploads/my_evil_image.jpg
PHP will include the file uploaded by the attacker bypassing the fact that they can’t access the file directly and we’re back at square one.
The solution to this problem is to make sure the user doesn’t know the filename on the server. Instead, we’ll change the file name and even the extension using a database to keep track of it:
CREATE TABLE `uploads` (
`id` INT(11) NOT NULL AUTO_INCREMENT,
`name` VARCHAR(64) NOT NULL,
`original_name` VARCHAR(64) NOT NULL,
`mime_type` VARCHAR(20) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8;
<?php
if(!empty($_POST['upload']) && !empty($_FILES['image']) && $_FILES['image']['error'] == 0)) {
$uploaddir="uploads/";
/* Generates random filename and extension */
function tempnam_sfx($path, $suffix){
do {
$file = $path."/".mt_rand().$suffix;
$fp = @fopen($file, 'x');
}
while(!$fp);
fclose($fp);
return $file;
}
/* Process image with GD library */
$verifyimg = getimagesize($_FILES['image']['tmp_name']);
/* Make sure the MIME type is an image */
$pattern = "#^(image/)[^\s\n<]+$#i";
if(!preg_match($pattern, $verifyimg['mime']){
die("Only image files are allowed!");
}
/* Rename both the image and the extension */
$uploadfile = tempnam_sfx($uploaddir, ".tmp");
/* Upload the file to a secure directory with the new name and extension */
if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
/* Setup a database connection with PDO */
$dbhost = "localhost";
$dbuser = "";
$dbpass = "";
$dbname = "";
// Set DSN
$dsn = 'mysql:host=".$dbhost.";dbname=".$dbname;
// Set options
$options = array(
PDO::ATTR_PERSISTENT => true,
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
);
try {
$db = new PDO($dsn, $dbuser, $dbpass, $options);
}
catch(PDOException $e){
die("Error!: " . $e->getMessage());
}
/* Setup query */
$query = "INSERT INTO uploads (name, original_name, mime_type) VALUES (:name, :oriname, :mime)';
/* Prepare query */
$db->prepare($query);
/* Bind parameters */
$db->bindParam(':name', basename($uploadfile));
$db->bindParam(':oriname', basename($_FILES['image']['name']));
$db->bindParam(':mime', $_FILES['image']['type']);
/* Execute query */
try {
$db->execute();
}
catch(PDOException $e){
// Remove the uploaded file
unlink($uploadfile);
die("Error!: " . $e->getMessage());
}
} else {
die("Image upload failed!");
}
}
?>
So now we’ve done the following:
- We’ve created a secure place to save the images
- We’ve processed the image with the GD library
- We’ve checked the image MIME type
- We’ve renamed the file name and changed the extension
- We’ve saved both the new and original filename in our database
- We’ve also saved the MIME type in our database
We still need to be able to display the image to visitors. We simply use the id column of our database to do this:
<?php
$uploaddir="uploads/";
$id = 1;
/* Setup a database connection with PDO */
$dbhost = "localhost";
$dbuser = "";
$dbpass = "";
$dbname = "";
// Set DSN
$dsn = 'mysql:host=".$dbhost.";dbname=".$dbname;
// Set options
$options = array(
PDO::ATTR_PERSISTENT => true,
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
);
try {
$db = new PDO($dsn, $dbuser, $dbpass, $options);
}
catch(PDOException $e){
die("Error!: " . $e->getMessage());
}
/* Setup query */
$query = "SELECT name, original_name, mime_type FROM uploads WHERE id=:id';
/* Prepare query */
$db->prepare($query);
/* Bind parameters */
$db->bindParam(':id', $id);
/* Execute query */
try {
$db->execute();
$result = $db->fetch(PDO::FETCH_ASSOC);
}
catch(PDOException $e){
die("Error!: " . $e->getMessage());
}
/* Get the original filename */
$newfile = $result['original_name'];
/* Send headers and file to visitor */
header('Content-Description: File Transfer');
header('Content-Disposition: attachment; filename=".basename($newfile));
header("Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($uploaddir.$result['name']));
header("Content-Type: " . $result['mime_type']);
readfile($uploaddir.$result['name']);
?>
Thanks to this script the visitor will be able to view the image or download it with its original filename. However, they can’t access the file on your server directly nor will they be able to fool your server to access the file for him/her as they has no way of knowing which file it is. They can’t brute force your upload directory either as it simply doesn’t allow anyone to access the directory except the server itself.
And that concludes my secure image upload script.
I’d like to add that I didn’t include a maximum file size into this script, but you should easily be able to do that yourself.
ImageUpload Class
Due to the high demand of this script, I’ve written an ImageUpload class that should make it a lot easier for all of you to securely handle images uploaded by your website visitors. The class can handle both single and multiple files at once, and provides you with additional features like displaying, downloading and deleting images.
Since the code is simply to large to post here, you can download the class from MEGA here:
Just read the README.txt and follow the instructions.
Going Open Source
The Image Secure class project is now also available on my Github profile. This so that others (you?) can contribute towards the project and make this a great library for everyone.