PHP file upload: mime or extension based verification?

by

Okay, so to all the geniouses here yapping something about “SCREW EXTENSIONS, CHECK MIME! FILEINFO RLZ!”, I’ve prepared some tutorial:

  1. Download this pretty php logo I drew
  2. View it. Pretty nice, isn’t it?
  3. Rename it to whatever_you_like.php
  4. Put it through all your awesome mime type/whatever checkers
  5. Run it

In conclusion, you should NEVER EVER EVER rely on MIME type. You web server doesn’t care about MIME type, it determines what to do by EXTENSION, the ultimately downvoted @Col. Shrapnel‘s answer is actually right. Any information provided to you by something checking MIME is absolutely irrelevant to your webserver when it comes to execution.

EDIT: the not-as-uncommon-code-as-you’d-want-it-to-be that opens a website to this type of attack:

<?php

$mimetype = mime_content_type($_FILES['file']['tmp_name']);
if(in_array($mimetype, array('image/jpeg', 'image/gif', 'image/png'))) {
   move_uploaded_file($_FILES['file']['tmp_name'], '/whatever/something/imagedir/' . $_FILES['file']['name']);
   echo 'OK';

} else {
    echo 'Upload a real image, jerk!';
}

More Related Contents:

  1. how to set progress bar in file uploading using jquery? [closed]
  2. Why would $_FILES be empty when uploading files to PHP?
  3. how to do file upload using jquery serialization
  4. Send File Attachment from Form Using phpMailer and PHP
  5. Full Secure Image Upload Script
  6. Check file extension in upload form in PHP [duplicate]
  7. How to check file types of uploaded files in PHP?
  8. PHP check if file is an image [duplicate]
  9. Upload a file using file_get_contents
  10. Check file size before upload
  11. How to limit file upload type file size in PHP?
  12. upload large files using php, apache
  13. How to check if an uploaded file is an image without mime type?
  14. How to handle multiple file upload using PHP
  15. Handling plupload’s chunked uploads on the server-side
  16. $_FILES field ‘tmp_name’ has no value on .JPG file extension
  17. Codeigniter multiple file upload messes file extension
  18. PHP move_uploaded_file() error?
  19. Uploading file in php server from android device
  20. Upload multiple files in CodeIgniter
  21. Setting PHP tmp dir – PHP upload not working
  22. Count and limit the number of files uploaded (HTML file input)
  23. How can I determine a file’s true extension/type programmatically?
  24. Secure User Image Upload Capabilities in PHP
  25. Detecting file upload size on the client side?
  26. How to get the file path in html in PHP?
  27. Upload doesn’t work right when the file is too big
  28. What’s the best way to create a single-file upload form using PHP?
  29. PHP upload size and its impact on post size and memory limit
  30. PhP Upload progress in PhP 5.4 is not working. Session variables not set

Leave a Comment