HomeBuilding Your WebsiteWeb Programming and Application Development

False MIME types

kazimmerman posted this at 00:39 — 28th June 2008.

He has: 698 posts

Joined: Jul 2005

I'm working on a file upload script right now, and I've been working on checking the file type.

Now I know you can get the MIME type of the file with $_FILES['field_name']['type'] and you can obviously check the extension of the file (.jpg, .gif, etc), but can either of these really be trusted. Obviously the extension is easy to work around for someone working on maliciously uploading something, but is there great concern for false MIME types? I was reading somewhere earlier - of course I can't find the site now - where there was an article about writing a program to forge MIME types to upload programs and malicious software with a fake "image/jpeg" MIME type. Is there a way to work around this, or is it something that just is a security risk with an upload script?

Kurtis

teammatt3 posted this at 01:38 — 28th June 2008.

teammatt3's picture

He has: 2,102 posts

Joined: Sep 2003

Are you making an image upload form? I started a thread about that a few weeks ago.

Here's the PHP class I ended up creating, you might find it useful: Link to File

Hey, I just remembered, you helped me the aspect ratio logic. See, I had a good use for it Smiling

kazimmerman posted this at 02:50 — 28th June 2008.

He has: 698 posts

Joined: Jul 2005

I was really just wondering for a general file upload script, meaning images, audio, video, etc. I'm wondering if there is a way for any type of file to tell what the true MIME type is, because according to this website you can create a program to fake a MIME type.

Glad to see my work used for something positive...lol. Wink

Kurtis

pr0gr4mm3r posted this at 03:35 — 28th June 2008.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

I wouldn't trust the mime type, but then again, it's probably not anything to be concerned about. Just make sure that the directory you upload it to isn't executable.

If you want to verify it's a certain media type, you can try to edit it accordingly. For example, load images into a PHP image object. If it fails, it's not a valid image. You can also try to re-render video & audio using something like ffmpeg. If it fails to render based on the mime type, then it isn't valid. This is probably overkill though.

kazimmerman posted this at 04:46 — 28th June 2008.

He has: 698 posts

Joined: Jul 2005

Yeah, in fact this is all a bit of overkill since I'm not actually going to be putting the upload script to work publicly. I was just trying to write my own script and trying to figure out all of the security issues I could find. This one probably isn't too big of a problem either considering that even for an image upload script or something similar, a low file size restriction could be used.

Kurtis

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.