I am building a upload feature on my project.I have done other validation on exist,size and type but there were some little more validation needed.I found out mime validation where no matter what file extension a user upload it checks the real file type.Below code did that work for me.Now whenever a user try to upload .php file as a .png/jpg/jpeg or any other fake extension name my code catches as malicious file type.But I have a question that when a user upload a file at first it goes on temporary directory.Is that temporary directory is used from client pc or from our server?If its from our server then will that malicious fake extension file can be dangerous for us or not?
$imageInfo = getimagesize($_FILES['file']['tmp_name']);
if ($imageInfo['mime'] == ("image/png") || $imageInfo['mime'] == ("image/jpeg")
|| $imageInfo['mime'] == ("image/jpg")) {
From the manual:
Files will, by default be stored in the server's default temporary directory, unless another location has been given with the upload_tmp_dir directive in php.ini. The server's default directory can be changed by setting the environment variable TMPDIR in the environment in which PHP runs.
The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed.
Unless you do something intentionally stupid like run files found within that temporary directory, or cause them to be run, you're fine. It's not dangerous for a file to simply exist for a short period of time only to be deleted.
the temp directory is from your server, and it is possible to execute files in the temp directory, so you can run the sys_get_temp_dir() so you can know the location of the temp directory and change the permission to Read and Write only.
first get extension then use extension in if condition like this :
$extension = image_type_to_extension($imageInfo[2]);
Related
When uploading a file through PHP - The default behavior of the interpreter is to save the file in a temporary folder, with temporary name.
Then we will have to use the function move_uploaded_file() in order to save it permanently.
If I have access to the php code- is there a way to skip the move_uploaded_file() phase ?
Yes and no. You can specify which directory to put the temporary files in, but not decide on the temporary name yourself.
From the docs:
Files will, by default be stored in the server's default temporary directory, unless another location has been given with the upload_tmp_dir directive in php.ini.
So you can set upload_tmp_dir:
The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system's default.
If the directory specified here is not writable, PHP falls back to the system default temporary directory. If open_basedir is on, then the system default directory must be allowed for an upload to succeed.
However, this merely decides the directory but not the filename itself.
I think there is pretty solid reasoning why you can't do that:
Concurrency: How would you know if multiple users / multiple processes are trying to write to the same filename that your application logic decides on? This would cause a lot of race conditions if handled differently.
Depending on your operating system and filename escaping, it could also be a huge security risk to have the file named based on user input or application logic. For example, one could try to overwrite the password file /etc/shadow on a Linux-based system and hook into system access.
Furthermore, I personally don't really see any reason why using the process with move_uploaded_file() would be bothersome.
I've tried to look around for some tricks on how I can do this safely, without executing the code.
Does the code get executed if i simply upload it to the file system, then leave it be until someone downloads it?
Or is this a potential threat aswell?
What I am trying to do is making the users able to upload their CV in pdf files. The administrator can then download this pdf file (not being viewed on server, but downloaded).
How should I do this to prevent malicious files from being executed on my server? Also, would it be risky to place this folder OUTSIDE the public_html folder?
There's not a lot of risk to upload .pdf in a folder.
the folder must be in 644 (chmod). and have a index.php with redirect to the index of the website
Inside or outsite the "public_html" .. it's not a problem
when you upload, you can check the extension (.pdf) and type mime:
with finfo_file (http://php.net/manual/en/function.finfo-file.php )
and
with $extension = substr($file, -3);
That depends on how your server is set. If it allows PDF files to be used as executable, or to be opened with particular application/processing script that could be used for malicious actions. Otherwise you have to follow simple instructions such as restriction of file name length and avoiding to perform read operation of that file. As I understand you need only to upload and safe them. I'd keep them in public_html and once uploaded correctly (you checked filesize, extension etc) moved them whenever you like.
I am uploading an image and storing the image path in database. Coding for this is as below
<?php
if( move_uploaded_file( $_FILES[$objName]['tmp_name'], trim($this->upload_path.$img_name_str )) ) {
$fNames[] = $img_name_str;
chmod(trim($this->upload_path.$img_name_str ), 777);
}
?>
Image uploaded into folder correctly. But the problem is permission for the image is set as 01411 even though I set folder permission as 777. This causes I am unable to show the image in front end. Please advice.
I am facing this issue only in server.
From php.net
Note:
The current user is the user under which PHP runs. It is probably not
the same user you use for normal shell or FTP access. The mode can be
changed only by user who owns the file on most systems.
Note:
This function will not work on remote files as the file to be examined
must be accessible via the server's filesystem.
Note:
When safe mode is enabled, PHP checks whether the files or directories
you are about to operate on have the same UID (owner) as the script
that is being executed. In addition, you cannot set the SUID, SGID and
sticky bits.
I am using XAMPP on Windows. By printing $_FILES["file"]["tmp_name"], it seems that the temporary file was saved at C:\xampp\tmp\phpABCD.tmp. But I cannot see it on the filesystem of the server. However, the file can be moved or copied via move_uploaded_file(), rename(), or copy(). So where does PHP actually save temporary files during uploading?
It saves it at the path specified in $_FILES["file"]["tmp_name"], but deletes it after the script is done executing. It's up to you to move the file elsewhere if you want to preserve it.
Its specified in upload_tmp_dir in your php.ini file. It is deleted by the system automatically after use.
You can check where php is currently saving your temp files $_FILES["file"]["tmp_name"] by printing
sys_get_temp_dir()
Use move_uploaded_file(file, path), specify the file and the path where you want to store the file.
A copy of that file is created and gets stored.
php stores all temporary files, that includes uploaded files, in the temporary files directory as specified in the php.ini. Note that for uploads, those files might be removed as soon as the script the file was uploaded to was terminated (so unless you delay that script, you probably won't see the uploaded file). Another reason might be that the file is simply hidden on the file system.
So if you want to see the file, you might want to make sure you see all hidden files in the explorer and delay the script as long as you need to find the file.
from http://www.php.net/manual/en/features.file-upload.php#93602, "...the uploaded file will inherit the permissions of the directory specified in the directive upload_tmp_dir of php.ini. If this directive isn't set, the default of C:\Windows\Temp is used..."
Note that the file is saved binary in $_FILES["file"]["tmp_name"], so you may open it maybe with file_get_contents if it is an image or something like this...
IF you are asking the file location then it depend on the setting of server. but if you are asking whether it saved first in local system or in server. then answer is it save in temp folder in server.
I'm uploading files via JS and storing the temp path in the session.
Than i use the following code to move the files.
if(move_uploaded_file($_SESSION['temp_img'][$key]['path'], $dest.$bigimg)){
$dest and $bigimg are defined earlier in the script with the id from the database.
Any Ideas or alternatives ?
MANCHUCK's answer was close but not quite there. You must call move_uploaded_file within the script where the file was uploaded. You cannot do what you're doing, that is, "storing temp path in the session" because that path is only valid for one request.
From the PHP manual:
The file will be deleted from the
temporary directory at the end of the
request if it has not been moved away
or renamed.
(Emphasis mine)
move_uploaded_file checks that a file has been uploaded to that page. You are actually uploading the file to a different PHP script then storing in a session. Instead of using move_upload_file use rename.
What is the output of $_SESSION['temp_img'][$key]['path'], also do you have permission to write to the web directory your placing the files. You may need to set it to 777 for some hosts to allow the webserver to write there.