I am working on a script that will process user upload on the server, and as an additional layer of security I want to know:
Is there any way to locate the correct extension / file type of the file, and make sure it is not masked with another file type with a different extension ?
Is there a byte stamp or some unique identifier for each type / extension?
I have to find out that no one has applied any separate extension on the file they are uploading.
Thank you,
Not really,
Need to read the first few bytes of each file and the known file types to be defined as a header for the finite set.
Most files have separate file headers, some meta data in the first few bytes or the first few kilobytes in the case of MP3.
Your program will only attempt to parse the file for your approved file types.
For my program, I send the uploaded image to ImageMagak in a try-blocking block, and if it moves, I think it was a bad image. It should be considered unsafe, because I am loading the arbitrary (user-provided) binary data into an external program, which is usually an attack vector. I here, I can do anything on my system to image magic I'm trusting.
I recommend writing your own handler for the important file types you want to use to avoid any attack vectors.
EDIT: I see in PHP that there are some tools for you to do this.
In addition to this, the mime types are user to claim the browser file. It is easy and useful for you to read and work in your code, but this is not a safe method, because anyone is sending you bad files, the copy MIM header will be easy. It is like a frontline defense to keep in front of you, which requires JPEG from barring on PPG, but if someone has embedded a virus in .exe and named it JPEG, then the mime type is cheated There is no reason to give.
Comments
Post a Comment