Spoofed file extension - Githubissues

OmarElgabry commented 9 years ago

Consider a situation where you are allowing users to upload files with mime image/png, image/jpeg, text/plain, ..etc.

Now, a user uploaded a file with spoofed extension, let's say an image image/png, this image when gets uploaded will be saved with filename.png, while getMimetype() will rather scan the content of the uploaded file and return text/plain.

Would it be better if we mapped the mime to extension instead of relying on pathinfo($desiredName, PATHINFO_EXTENSION) as it's not safe and can be faked? Code: FileInfo

As an example:

function MimeToExtension($mime){
        $arr = array(
            'image/jpeg' => 'jpeg', 
            'image/png' => 'png',
            'application/msword' => 'doc',
            'application/pdf' => 'pdf'
        );
        return isset($arr[$mime])? $arr[$mime]: null;
    }

brandonsavage commented 8 years ago

Are you saying that it's possible for someone to upload a file and spoof their mime type so that an invalid file type is uploaded?

OmarElgabry commented 8 years ago

spoof their extension. The file is saved using it's extension, and extension is assigned to pathinfo($desiredName, PATHINFO_EXTENSION) which is not safe and can be faked.

I'm suggesting to use getMimetype() and map the returned value from mime to extension using MimeToExtension($mime). This is because getMimetype() will scan the content of the uploaded file.

brandonsavage / Upload

Spoofed file extension #67