After a file has been uploaded to the tmp folder, for example a pdf file, would php fileinfo mime check be enough to verify that the file is indeed a pdf file and is not infected?
How do you verify that a user uploaded file has no virus?
so that I could let users download it?
My scenario is this:
A user uploads a pdf file, I then let another user read his pdf file.
php fileinfo mime check be enough to verify that the file is indeed a pdf file and is not infected
No. It will tell you if it looks like a PDF file, but do no virus checking.
How do you verify that a user uploaded file has no virus?
With a virus scanner. There are plenty of commercial and non-commercial packages out there.
A mime check does not guarantee anything, to be reasonably sure that a file has no virus, you will have to pass it through a virus scanner, like for example clam on linux.
Related
I want to create file sharing platform but php has some bug about it.I just use fread to get text of any file (exe,pdf,docx,ppt and etc) then I create text file with random name and with .txt extension.So when user want to download this file ,I create random folder and inside of that folder I create file which has same text that user want to download , and then I give extension which is same as user uploaded version of file and force user to download it.
But when user download file,for example zip file and then if user wants to open , it says failed to open because not supported format.This happens when I try to do this with docx,pdfs,zips and that kind of files (not txt,html,css,c files).
Example : I force the user to download with same extension that he uploaded, for example if user uploaded zip file,I read the text with fread then save this text in the db or text file,and then if user wants to download that file, I just create file and give it zip extension, then force the user to download it,but once user upload this file then if user want to open it fails, but it should open zip file because content text of this file is exact same as user uploaded to the server
Answer should contain:
1)Why this happens?How to fix it?
2)What is the ideal solution?
3)is it safe to do this?
This happens, because windows knows the app to open file file just from the extension. If you rename the file to something.txt, then the editor always wants to open it.
There's no such thing as an ideal solution. A soltution would be to store the file with the original name (maybe at some unique part to prevent duplicates) in a non public readable directory without execution bit set. To access the file, you could create a proxy script, which returns the file and appens a should download header (and maybe the original filename).
Its as safe, as you implement it. Your current solution could be safe, the solution I posted could be safe - but without knowing the details, how you implemented it, nobody knows, if it is actually safe.
It happens because you are opening binary files like a zip file and storing it in a text file then streaming it with the zip extension again.
The ideal solution would be to use one of the 1 million open source file managers out there with proven records and big developer communities. But if for some reason you want to build your own, save the files in a safe folder outside your public folder. store the path in a database of choice together with the public path you will show your users. Upon request use the public path to map to the private path and start the download yourself.
Is as safe as you make it, but nothing is 100% safe so if you are storing sensitive data use something that is well build and documented
I know for the fact that there is trojan or malware in php which represents itself as an image. And I also know that to filter out the file upload we use extensions such as .txt or .png.
Is there a way to scan the files manually when they are being uploaded into the server using server built-in antivirus or the server doing this kind of tasks automatically for us? ( I mean particularly in cpanel )
thanks
If you are worried about code being uploaded to your server in the form of an image, simply re-encode the image upon upload. A file containing code with an image extension will throw an error when the encoder tries to process it.
I'm php programer and familiar to secur file upload such as:
1- Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory.
2-If possible, upload the files in a directory outside the server root.
3-Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
4-Create a list of accepted mime-types (map extensions from these mime types).
5-Generate a random file name and add the previously generated extension.
6-Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.
8-check mime type and file name and extevtion of file, also store hash of file and..... and other tips base on this links:
1-http://www.acunetix.com/websitesecurity/upload-forms-threat/
2-https://www.owasp.org/index.php/Unrestricted_File_Upload
but I have web site that users can upload mal file or exe file To the experts examine the file .also confidentiality of files is important.
so this file have two restriction: 1- users can upload mal file or exe file 2-theese file are secret and should have good protection i storage(To maintain confidentiality)
my solution is:
1- I force users to send the zip file .and the program pload the files in a directory outside the server root.. This restriction is sufficient?
2- To maintain confidentiality of files.how can store some section of file in database and other section in the file system stored on the file system. In order to , if the hacker compromise the server will not be able to abtain hole file data?
1- I force users to send the zip file .and the program pload the files in a directory outside the server root.. This restriction is sufficient?
How would you enforce this? Checking the file extension? Trusting user-provided headers? Parsing the file and guessing its MIME type?
2- To maintain confidentiality of files.how can store some section of file in database and other section in the file system stored on the file system. In order to , if the hacker compromise the server will not be able to abtain hole file data?
This won't buy you much. If an attacker can compromise your systems, they can get the database password from the same disk as half the file, and thereby recover the whole file.
A much better idea would be to pass the files' contents to a separate server (e.g. an Amazon S3 bucket) and serve your files from a different domain name.
but I have web site that users can upload mal file or exe file To the experts examine the file .also confidentiality of files is important.
Is this for someting like VirusTotal?
I want to implement validation on image files (.jpg, .png, .gif) in such a way that if a user changes the extension of html into jpeg then the system will restrict him that this file is in an invalid format. I have implement the validation on file extension, but I want to implement this validation as well.
And I am uploading video (.wav, .flv, .mp4) and audio (.mp3) files as well, and if someone upload file with wrong extension, the system will restrict him. How I can do this?
tried finfo_file - required pecl fileinfo, php 5.3 and above,
this function will return a REAL mime type of an uploaded file,
based on this info, you can do comparison and blocking any unwanted extension (mime)
I am having an issue when using mime types in PHP.
As a security feature, I am placing any content uploaded to my server by users in a directory outside of public_html. When a user wants to access their uploaded files in the browser, I use php script to pull the file from the secure folder using readfile and header('content-type'), the issue I am having so far only pertains to mp3s.
When I try and use this for a mp3 file, the file doesn't actually play in the browser, but M4As work fine. And it isn't every mp3 file too, it just seems that when I get the mime-type of some mp3 files php can't tell that they are mp3s. The mp3s also playback fine if I download them, so it isn't an issue with the file per say (unless the file has the wrong mime-type somehow).
How do I get it to tell that they ARE mp3s?
My getFile code is here: codepad.org
Any help would be appreciated greatly, I'll even give you some of my tracking cookies!
For mp3s, did you try:
header("Content-Type: audio/mpeg");