I'm interested making certain my file uploaded via php into a db is locked down. Currently the key functions I'm using are fopen and fgetcsv. Unfortunately this subject seems quite nebulous in the webs.
The file isn't "executed" but is opened and walked with fgetcsv. What steps do I need to do in order make certain that no foul play occurs on my server through this module?
Currently I limit the file size and check the extension.
Do I need to verify the file uploaded is actually a csv and not just some file with a csv extension? I assume this would be through a file type recognizer?
What do I need to do to avoid multibyte/encoding exploits?
***Edit
I found this link to be helpful and may be to others; http://php.net/manual/en/features.file-upload.post-method.php
Thanks
If you are relying on a library to parse user input, you should have confidence in the quality of the library.
If you don't then picking a separate library is advisable.
If no sufficiently stable library can be found for the task, the only viable option in a security-critical application is to implement the functionality yourself.
Related
So I am trying to use XAMPP server on ubuntu (Xampp 1.7.7 and yes, I know it is old) to upload files to a specific directory using PHP.
I know that it can be done, but every bit of code I can find wants to use a temp name. I think it checks to see if there is a duplicate file but can't I set it to just go strait to the directory? I know it wont be a problem so is this possible? Let me know if I need to be more specific.
Also, please don't ask "Why don't you want to use the temp directory?" because I don't want/need to is your answer. So if you have an answer, please let me know.
Thanks! :)
PHP couldn't care less about duplicate files. If two people upload "file.txt", PHP won't care, because it'll be using that nice random temp name instead. File collision handling is NOT php's job. that's up to your code.
And while it would be nice if you didn't HAVE to use a temp file for uploads, removing that restriction would mean a complete re-write of PHP's upload infrastructure. The script which a file upload is performed on is not invoked until AFTER the upload has completed (regardless of success). There is no mechanism in PHP to allow a "live" script to accept the upload as the bytes are streaming in.
If you need to handle the raw straw as the upload proceeds, you'll have to use some other language, e.g. perl.
hi i wanted to know if uploading large files like videos ( over 200 mb - 1gb) from php is a good option after setting up the server configuration like max_post_size , execution time etc. The reason i ask this question is because i read some where that when a large file is uploaded , best practice is to break that file into chunks and upload it ( I think youtube does that). Do i need to use another language like python or C++ for uploading large files or is php enough. If i need to use another language can anyone please help me with reading material for that .
Thank you.
PHP will hold the entire file in memory while the upload is happening. That means that if you are uploading 5 files in parallel, then at the very most you will need 5GB+ of memory.
This can be done in PHP, and I have done this using a chunking method. There are several SO questions on this topic:
File uploads; How to utilize “chunking”?
Upload 1GB files using chunking in PHP
But my personal preference is to use plupload. It is a very complete cross-platform (JS, Flash, Silverlight) upload script with a nice PHP code sample to handle chunking.
Its not only PHP to be considered for large file uploads. Your web server also need to support that, at least in nginx. I don't know how httpd handles that, but as you said splitting in chunks are viable solution. FTP is another option.
Wherever I look on the difference between PHP functions' rename and move_uploaded_file it always says that the difference is that move_uploaded_file have some security features.
My questions are:
what are those security features, what happen if I don't use it?
In case that I can't use it (I did an upload but not through POST) so I have to use the rename function, what security measures do I need to take?
Thanks.
Edit
#Pekka asked from me to elaborate of how I plan to upload the file.
I'm going to upload files through Ajax, and I have some queue feature for uploading multiples files. Therefore I'm using the php://input stream.
If I understand Pekka answer correctly, I have nothing to worry about since I'm getting the file as a stream and I'm not copying any temp file.
Please correct me if I'm wrong.
The background of this was an ancient, pretty bad vulnerability (in the early 2000s) in which you, instead of uploading an actual file, you could overwrite the tmp_file path with a local file path, leading to that local file being treated as the upload instead of the real uploaded file. (There was no $_FILES array back then.)
So for example, when uploading an avatar, the script would copy() the system file you specified (say, a configuration file ../../super_secret/config.php or a .htpasswd) to a public location and try to display it as the avatar image in a <img> tag.
Strangely, I'm unable to find any specific info on this vulnerability (I've searched a number of times already over the past couple of years), but I know for a fact it existed because I tested it myself. Any links are welcome.
As to what security measures to take, as said in the comment, I think you need to explain in more detail what kind of alternative file upload you are planning to use.
I'm currently in the process of searching for a media upload library for PHP that can manage multiple types of files. Either a single library or a combination of different ones would work equally well.
I could write some simple upload code that checks what type of file, and incorporate some simple security measures, but I'd much rather leave it up to someone else more qualified.
Features I'm looking for in such a library:
Checking for file type. I would like the library to have a whitelist of types of files that can be uploaded, and be to able to check if the file uploaded is indeed on that whitelist. The checking process would have to do more than just check the file extension. Example: Only uploading .jpg, .png, .mp3, .avi is allowed.
Either a very comprehensive settings page/section or understandable and editable code. I'd like to be able to mold the library to fit the structure of my site, not the other way around.
Security checks. I would like there to be a system of security checks to make sure that files are not a possible security threat to my website.
Free. I'd rather not buy a library.
Tools I've Found So Far:
Due to the universal need for file upload code, there are tons of upload libraries out there, such as:
class.upload.php -- Manages the uploading, saving, and resizing of images.
Pear PHP's HTTP_Upload -- Manages files submitted via HTTP forms.
Easy PHP Upload -- Validates and manages file upload via Web forms
EasyUp -- Simply manages file upload.
The problem is, there's just so many libraries, frameworks, and classes out there that it's hard to choose one (or multiple to work in combination) and know that it's going to be reliable and work well.
So, it would be amazing if I could get some recommendations on what in your opinion the best file upload library or libraries are for PHP that contain the features I'm looking for!
Thanks a ton!
Well, it depends on just what you want uploaded. Is it just images? Text files? Videos?
At any rate, a library wouldn't actually be needed because PHP has a very powerful built in upload function.
This page here shows a good example of how to make a basic form and implementing some basic security checks, including checking the file extension. PHP is very secure as it is, though you'll have to decide for yourself what file extensions you will accept. Generally, it's best to choose specifically what you will accept, rather than limiting out a few high risk files only. For example, unless they're needed and you want to support them, avoid supporting archives (such as 7z, bz2, or zip) or executables.
As well, if you want to put a very basic virus scan into the newly uploaded file, you can use a method similar to this one.
You want to be able to meld your site around the desired library? Using PHP lets you do that better than anything, and it's relatively simple to do.
I allow PDF files to be uploaded to my site (PHP).
I would like to offer the ability to also allow .zip files which contain PDF files in directories so it is easier for users to simply zip a directory and upload one file instead of uploading multiple zip files individual.
For those of you who offer a .zip file upload feature to your (PHP) website, what are the technical, security, and other issues you have faced?
Be careful how you unpack the zip, you could find yourself consuming far more resources than you expected. Perhaps some setrlimit(2) resource limits before unpacking would be wise.
The unzip(1) utility has several nice safety features built in; the -^ command line option turns off control-character filtering, so make sure you don't touch this :) and the -: command line option allows stupid pathnames like ../../../../etc/passwd. Make sure you're on at least version 5.50, so that those stupid pathnames are forbidden by default. (And don't use that command line option. I mention the options just so you can more easily find the documentation for them. :)
If you use an API, make sure it has options to prevent both kinds of silly filenames.
Assuming the .zip gets unpacked eventually you would have to make sure the directory they get unpacked in is unreachable by the the clients' browsers (with .htaccess or by placing it outside the web root directory), and even in that case I'd still monitor the contents of the unpacked .zip to make sure they didn't contain anything that might prove harmful (php or other files run by the server, html spoofs).
Another issue is i guess the upload_max_filesize set in php.ini, you can make sure it can be set big enough to suit your purposes before you start coding.
edit: also read sarnold's answer ;)
AFAIK, php can handle zip files pretty efficiently. Difficulties/Issues that I can think of is, while accessing the file where We need to extract the zip first, and then retrieve the actual needed file. Due to that reason, extracting a zip, might consume additional amount of server time, depending on the size of the file itself.
Where As, during uploads, I do not suppose there is any difficulties or issues specially emphasized on zip types.