Is it "good" to change an image file extension?
For instance, I have a jpg file inputed, and I change it to a png. Is this OK or should I leave it as a jpg?
I use the rename() to change the name and the file extension.
It is related to PHP, because I do my renaming with PHP with a upload script.
Another question is: Is it safe to do it e.g can the files become corrupt?
Changing an image file extension from .jpg to .png does not change it to a PNG file. It just changes the name of the file. This does not change the contents of the file at all, so it does not become corrupt. It only changes the name of it.
Leave file names with the appropriate extension, or you will confuse everyone, including yourself.
No, the file cannot become corrupt... a file name is just the name.
Never allow users to dictate the names of files on your system. No matter what they upload, rename it to something with no extension, and store the files outside of the web server's doc root. You don't want them uploading .php scripts and what not.
Changing the extension of file is just renaming it. The extension serves the purpose of merely defining the data type that the file contains.
Renaming a JPEG file into a PNG is therefore a very bad idea. Although some image viewers may still be able to figure out that your PNG is actually JPEG and view it correctly, others will not.
Use ImageMagick or GD 2 to do any image conversions in PHP.
Related
I've tried to look around for some tricks on how I can do this safely, without executing the code.
Does the code get executed if i simply upload it to the file system, then leave it be until someone downloads it?
Or is this a potential threat aswell?
What I am trying to do is making the users able to upload their CV in pdf files. The administrator can then download this pdf file (not being viewed on server, but downloaded).
How should I do this to prevent malicious files from being executed on my server? Also, would it be risky to place this folder OUTSIDE the public_html folder?
There's not a lot of risk to upload .pdf in a folder.
the folder must be in 644 (chmod). and have a index.php with redirect to the index of the website
Inside or outsite the "public_html" .. it's not a problem
when you upload, you can check the extension (.pdf) and type mime:
with finfo_file (http://php.net/manual/en/function.finfo-file.php )
and
with $extension = substr($file, -3);
That depends on how your server is set. If it allows PDF files to be used as executable, or to be opened with particular application/processing script that could be used for malicious actions. Otherwise you have to follow simple instructions such as restriction of file name length and avoiding to perform read operation of that file. As I understand you need only to upload and safe them. I'd keep them in public_html and once uploaded correctly (you checked filesize, extension etc) moved them whenever you like.
I have a upload image function on my web app, I tried to upload a php file with a code like this <script>alert('XSS')</script> the file is hack.php.jpg then, I upload it and it is uploaded, my fear of this is that, will the script will run and return something to the malicious user or it will ignore the script inside of the .jpg ? Here are the list of function of my upload image:
1) It will rename the image then will be saved on the folder.
2) only accepted extensions are jpg, png, jpeg .
3) file size < 1000000.
4) uniqid() used for renaming the name of the img.
5) I use unlink() and move_upload_file() for saving the img and deleting the img on the folder.
6) my <form> enctype is multipart/form-data and accept="image/*".
I learned my code in codecourse php upload file video.
How do you parse the extension of the file?
Ideally, you completely rename the file. For example to "randomhash.jpeg/jpg/png". That way it is impossible for it to ever contain the ".php" extension.
Another thing you can do is disable PHP code execution (in nginx or Apache) in the folder where you store your images.
You can also additionally make use of the functions getimagesize and exif_imagetype to check for it being a valid image. Just keep in mind that those functions are not foolproof.
Using a simple firefox addon, a hacker can change the mime type of any file they want to upload, bypassing your file type checker.
Hackers can then use a program like GIMP to embed a php script inside the binary data of an image, audio or any other file.
How can I check for this, and prevent it?
You can use mime_content_type() to get the actual mime type of the file instead of the value transmitted by the client browser.
Then you can use a library such as php-ClamAV that allows to perform virus-scans in PHP.
You can discard any file extension except those you expect (eg .png, .jpg, etc if you're expecting images).
In the specific case of images, you could also neutralize images by modifying them (eg slightly resize them, modify the compression rate, something that would modify the data and neutralize any executable).
Finally of course, take of not giving the execution right to the file. But contrary to what is said in the comments, this will not really protect you. If the hacker finds a way to run php file though an injection for instance, he'll be able to chmod the file and get the execution right (and even run it).
A good practice is also to always rename the file in an unpredictable way. If it is not meant to be accessed by clients after upload, send the files in a folder where directory browsing is disabled.
Is there any way to upload multiple files using a single file?...basically i want to upload multiple pdf files at once, using one single file that contains the path to each one of the pdf files...and store the information to mysql database...
PS: i dont want to merge all the files into 1 huge pdf...i want each 1 of pdf file to be uploaded to server dir at once and then store the file info to database eg. path, file info, filename for later use..
In order for a file to be uploaded, the user has to select that file manually. It's a security measure (otherwise websites could examine arbitrary files on your computer without your knowledge, which would be bad).
No - Because it would break the Javascript sandbox model (i.e. would be a security problem).
For security concern, it's hard to do this by javascript, which means you will have the access to others local files.
Why not just pack them up into a zip file then unzip on the sever side?
I am trying to download some files. I have written a php script that can gather all of the address of the pdf files I need to download into a array but the file names on that server are odd. How does one go about downloading pdf files with php?
you can try (if I understand your question correctly)
file_put_contents('/your/file/name.pdf',
file_get_contents('http://www.example.com/oddFile.pdf'))
Check out the file or file_get_contents functions. It can take URLs as well as local filenames.
http://www.php.net/manual/en/function.file.php
http://www.php.net/manual/en/function.file-get-contents.php