I read that for images, it's not safe to depend on the file extension and that it's better to try to open the php with an image library like gd to verify its extension.
What about other types of files? If I have a .doc or .pdf or any other file type, how can I really tell the file type is really what it claims it is?
If you are on a *nix system the file command does a pretty good job at guessing mime type. It is not perfect, and fails on 'nested' types like .tar.gz but it is pretty good.
As i understand it Fileinfo uses the same magic numbers approach as file without needing to go to the shell...
I don't know if it works for any file type, but you can check mime type using mime_content_type or filetype.
Related
We have a PHP 7.4 code were we upload video files.
All MP4 are seen as MIME=video/mp4.
However in rare occasions and mp4 file is detected by PHP as video/quicktime which we do not allow.
the HTTP Post says it is a video/mp4.
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $file['file']['tmp_name']);
finfo_close($finfo);
Why would mime change if extension is the same? is php looking inside the file for video format?
The function you are using is examining the contents of the file rather than the file name to determine what the apropriate MIME type is.
From the Fileinfo extension documentation where the finfo_* family of functions comes from:
The functions in this module try to guess the content type and encoding of a file by looking for certain magic byte sequences at specific positions within the file. While this is not a bullet proof approach the heuristics used do a very good job.
The rare instances you are encountering are likely the result of someone saving or renaming a QuickTime file with the wrong extension.
A website I am building allows file uploads by authorised users. For any specific category of uploads, a set of file types is allowed, e.g. .pdf and .docx, so that my client can choose what they want to accept.
When uploading, I check the uploaded file's MIME type (using finfo_open(FILEINFO_MIME_TYPE)) against a database table of MIME types for that extension.
In testing, I am uploading a docx file from my PC - it has a docx extension and Windows reports the file type as application/vnd.openxmlformats-officedocument.wordprocessingml.document which is what I expect. However, finfo_open is giving me a MIME type of application/msword.
Does finfo_open's information come from within the file or from something in the browser or the upload process (in which case I guess I'll need to specify additional MIME types allowed) or is it something within the web server (in which case, can it be modified with php.ini)?
I believe in PHP it's safer to use the $_FILES to check out to file MIME type.
Still, I don't think it bothers for this. Are you sure you gave a docx and not just a doc document? Usually application/msword is the mime type for doc file extension... Make sure that you save your file using the right version of microsoft word and in the right format and then try again. Also, I'd try to use a print_r on $_FILES to see if what it tells you about the file? Does it tells you that the file has a different mime type?
I want to implement validation on image files (.jpg, .png, .gif) in such a way that if a user changes the extension of html into jpeg then the system will restrict him that this file is in an invalid format. I have implement the validation on file extension, but I want to implement this validation as well.
And I am uploading video (.wav, .flv, .mp4) and audio (.mp3) files as well, and if someone upload file with wrong extension, the system will restrict him. How I can do this?
tried finfo_file - required pecl fileinfo, php 5.3 and above,
this function will return a REAL mime type of an uploaded file,
based on this info, you can do comparison and blocking any unwanted extension (mime)
I'm trying to allow safe upload of web fonts in our application, by checking against mime types. This works for most types of files we allow, but it's a problem for web fonts.
We check the mime-type by using PHP's http://php.net/manual/en/book.fileinfo.php
The problem is that php will detect all web fonts as mime "application/octet-stream", but allowing that, would allow .exe or many other possibly dangerous file uploads.
What is the best way to handle upload of this kind of files?
Find a magic file that contains info about the font formats, and pass that to finfo_open().
I don't rely on mime checkers built in the PHP. I always have problems with them. If your running linux, use the PHP's exec command to execute mimetype command in bash and return it to PHP.
U should use phpinfo to check extension, mime type can be fake, and U can get .php file with mime type of a pdf.
EDIT
$file = "abc.ttf";
if(in_array(strtolower(pathinfo(file, PATHINFO_EXTENSION)), array("ttf")))
{
// OK
}
u can add more extensions to array
If TTF files are the only ones allowed to be uploaded, use this:
http://www.phpkode.com/scripts/item/ttf-info-plus/
I have local access to files, which I need to get their MIME types. Working in WAMP/LAMP, CodeIgniter, and Zend libraries. What's the best way to get MIME type information?
There's no easy way. You could try:
http://www.php.net/manual/en/function.finfo-file.php
// return mime type ala mimetype extension
$finfo = finfo_open(FILEINFO_MIME_TYPE);
Of course, this assumes you can install PECL extensions.
I think you need head. Quickest way is to do a head request, or in PHP under apache you can use apache_lookup_uri or in PHP 5.3 you can use FileInfo (I'd still recommend apache_lookup_uri or a simple head request though).
Its never a good idea to try and find the mime type based on the file extension, as this can obviously be renamed by the used whos uploading - from .exe to .jpg
Real mime type detection is part of your overall security measures.
Parse your Apache's mime.types file.
Try CI's built in function "get_mime_by_extension($file)". You can find it in the "system/helpers/file_helper.php" file