#48344 [Com]: $_FILES return wrong file type

Wed, 20 May 2009 04:45:47 -0700 

 ID:               48344
 Comment by:       carsten_sttgt at gmx dot de
 Reported By:      danymoussa at gmail dot com
 Status:           Open
 Bug Type:         *General Issues
 Operating System: Centos 5
 PHP Version:      5.2.9
 New Comment:

I guess a bug tracker is the wrong place for such questions. e.g. the
user mailing list a better place.

(hint: mimetype functions)

Regards,
Carsten


Previous Comments:
------------------------------------------------------------------------

[2009-05-20 11:37:48] danymoussa at gmail dot com

Thank you, how can i insure no one is uploading shell files to my
website? i mean what's the best way to secure it?

------------------------------------------------------------------------

[2009-05-20 11:33:43] carsten_sttgt at gmx dot de

The Content-Type is set by your browser (or what ever UA you are using
for the POST request).

That's the reason for:
Don't trust the "type" in $_FILES. (An UA can set this to every value
it want.)

In addition:
If no Content-Type is set by the UA, the default is
"application/octet-stream".

Regards,
Carsten

------------------------------------------------------------------------

[2009-05-20 11:24:49] danymoussa at gmail dot com

Submission error, flip actual result with expected result

------------------------------------------------------------------------

[2009-05-20 11:20:19] danymoussa at gmail dot com

Description:
------------
This is a very serious problem that i never faced in php earlier
version. However i tried to hack into my jpg-upload-image script and was
able to do that by inserting a renamed shell script: pic1.php.jpg

Reproduce code:
---------------
<form action="upload.php" method="post" 
enctype="multipart/form-data">
        <input type="file" name="file">
        <input type="submit" value="Upload">
</form>

print_r($_FILES);

Expected result:
----------------
      [file] =&gt; Array
        (
            [name] =&gt; pic.php.jpg
            [type] =&gt; image/jpeg
            [tmp_name] =&gt; /tmp/php96MEPH
            [error] =&gt; 0
            [size] =&gt; 23052
        )  

Actual result:
--------------
[file] =&gt; Array
        (
            [name] =&gt; pic.php.jpg
            [type] =&gt; application/octet-stream
            [tmp_name] =&gt; /tmp/php96MEPH
            [error] =&gt; 0
            [size] =&gt; 23052
        )


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=48344&edit=1

Reply via email to