preventing executable file uploads 
Author Message
 preventing executable file uploads
How can I prevent executables being uploaded. They seem to produce a
mime-type of application/octet-stream but so do a lot of other file types
(word docs etc). How can I tell the difference?

regards,
Jon



Mon, 09 May 2005 06:53:15 GMT  
 preventing executable file uploads


Quote:
> How can I prevent executables being uploaded. They seem to produce a
> mime-type of application/octet-stream but so do a lot of other file types
> (word docs etc). How can I tell the difference?

> regards,
> Jon

something like

list($name,$ext) = explode(".", $_POST["fname"]);
    if($ext == 'exe') {
        echo "You cant upload executable files";
        exit;
    } else {
        // upload
    }

Regards

A Dodds



Mon, 09 May 2005 07:11:12 GMT  
 preventing executable file uploads
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In a fit of e{*filter*}ment on Wed, 20 Nov 2002 23:11:12 -0000, "Shodan"

Quote:



> > How can I prevent executables being uploaded. They seem to produce
> > a mime-type of application/octet-stream but so do a lot of other
> > file types (word docs etc). How can I tell the difference?

> > regards,
> > Jon

> something like

> list($name,$ext) = explode(".", $_POST["fname"]);
>     if($ext == 'exe') {
>         echo "You cant upload executable files";
>         exit;
>     } else {
>         // upload
>     }

The above doesn't determine if it's an executable or otherwise.
Likewise, if running on a UNIX platform, the majority of executable
(binary) files don't have extensions.

While at present, I can't give an example of how to achieve the OP's
goal, the above will not reliably detect an executable file.

Regards,

  Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPdwdAmfqtj251CDhEQLkDQCg9c92zeY8h1iP5yezTAfowZcYmEgAoM0G
uPf5uOC1zfma60dCwfOp9ygs
=uIHz
-----END PGP SIGNATURE-----

--
Ian.H  (Design & Development)
digiServ Network - Web solutions
www.digiserv.net  |  irc.digiserv.net  |  forum.digiserv.net
Scripting, Web design, development & hosting.



Mon, 09 May 2005 07:37:27 GMT  
 preventing executable file uploads

Quote:

>> How can I prevent executables being uploaded. They seem to produce a
>> mime-type of application/octet-stream but so do a lot of other file
>> types (word docs etc). How can I tell the difference?

You can't. The mime-type passed on http uploads is completly defined by
the client and should therefore considered _not_ trustworthy.
However, application/octet-stream isn't necessary an executable but the
least precise desription of what kind of data is uploaded (== a stream
of binary data).

Quote:
> something like

> list($name,$ext) = explode(".", $_POST["fname"]);
>     if($ext == 'exe') {
>         echo "You cant upload executable files";
>         exit;
>     } else {
>         // upload
>     }

... wouldn't work with multiple/no dots and the filename extension
should _never_ be expected to represent the data type. Do you remember
those fany "I love you" email worm? AFAIR it was an attachment
"iloveyou.txt.vbs"

On the server side, be sure how to handle uploaded files.
- you may get a better impression of the filetype really being uploaded
by using exec("file $filename"); see man file for details
- even without access to the shell, some mime types can be determined
from within PHP, eg. getImageSize() returns information about the type
of image or 0 if it is no image
- _never_ chmod(*, 0777); I have seen this in many beginner or even
tutorial scripts, but it's nonsense. Nobody wants an uploaded file to
be executable on the server.

HTH, Jo



Mon, 09 May 2005 09:25:23 GMT  
 preventing executable file uploads

Quote:
> How can I prevent executables being uploaded. They seem to produce a
> mime-type of application/octet-stream but so do a lot of other file types
> (word docs etc). How can I tell the difference?

> regards,
> Jon

Run it through /usr/bin/file (also available under cygwin), if it's not an
approved file type, it's not allowed.

Define an acceptable list of file types and deny everything else.
Optionally, rename the files to their appropriate extension. Graphic files
are commonly misnamed (BMP instead of JPG etc)

See "man file" for details.

Leonid
--
Leonid S. Knyshov, CEO - Crashproof Solutions, LLC
http://crashproofsolutions.com



Mon, 09 May 2005 10:14:15 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. Uploaded text file is executable?!

2. GNU awk executables uploaded to GNUish

3. PHP file uploads corrupts my files

4. File Upload Problems with binary files (ASCII works ok)

5. Make executable file from VI file

6. Can lisp file be complied into executable file?

7. SOFTWARE UPLOAD: ftnchek 2.70 LARGE_MACHINE uploaded

8. How to Prevent delete of child records in related file

9. Prevent File save Window on Cancel on au Update Form

10. Preventing using files from a previous project

11. Preventing Users from deleting files?

12. Unable to prevent replacing of existing files..

 

 
Powered by phpBB® Forum Software