File upload security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I've written a script which takes a couple of user image files and uses
them to create a watermarked image.

 I'm checking the images like so:

if(!empty($_FILES['pattern']['tmp_name']) ){
        header('Location: watermark.php?nosize=2');

It has been suggested to me that this is still insecure as people could
use 'character substitution hacks' to upload files to the tmp directory.

Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs

Re: File upload security

Geoff Berrow wrote:

Quoted text here. Click to load it

I usually start out like this (from the top of my head, not tested)...

if(   isset($_FILES['pattern'])
      && isset($_FILES['pattern']['error'])
      && $_FILES['pattern']['error']==0
    // this tells me that the file was uploaded via my script
        // the file exists
            // See notes below

    // whatever error stuff needs to be done goes here

The next steps I usually do involve checking that the image type is
something that I am expecting and that the server's PHP/GD install can
handle. Once I have decided that everything is OK, I set the
$IMG_PROCESSED variable to boolean true.

To be honest, I haven't really dealt with character substitution hacks
because it has never come up for me. However, I don't see how character
substitution would get by checking with file_exists, getimagesize, and
then parsing the output from getimagesize... If that is still insecure,
I'd like to hear about that. (Perhaps Chris Shiflett would be the one to
really answer that question...)

Justin Koivisto, ZCE -

Site Timeline