mime checking v24

See all posts Reply

mime checking v24 new!
by rr1024, 16 years, 8 months ago
Hello,
I first want to say this class is great! I'm love it ;-), I'm not sure if I'm using it correctly or not because I was able to upload files that were not images.

I took a php file and renamed with jpg extention just a s any stupid hacker would do then I added in the
$handle->allowed  = array('image/jpeg',
                          'image/gif',
                          'image/png');
$handle->mime_check  = TRUE; #security
$handle->mime_magic_check = TRUE; 
I've tried all combinations with and without each other listed above and it made no difference.

I think it's because the class is looking at what the mime type the browser thinks it is rather than reading the mime type from the php temp directory.
What I did is used getimagesize on the file while it's in the temp directory....i.e. before copy to public html area and detected it using the mime type if all is ok then I proceeded with the rest of the class opperations of copying file from temp.

I'm wondering if I'm using it wrong or I'm reporting a possible bug? I'll gladly give you the code I used.Reply
Re: mime checking v24 new!
by rr1024, 16 years, 8 months ago
1. How do you do code highlighting in this forum?

2. On this topic:
Note that the php file that I changed to jpg could not execute as is of course....so to all who are wondering it's still a safe class!!!

3. However, I believe, if I'm using the class correctly?, then there should be TWO checks for the mime type to validate the file before it get's moved to the public directory.
A) The current initial check which seems to be received from the browser and then a second check when the file reaches the phptemp directory....

4. Oh one other minor thing
$handle->file_overwrite  = TRUE;
When I tell it to overwrite the file it doesn't it keeps appending with _NN

Anyway...Love this class !!!Reply
Re: mime checking v24 new!
by colin, 16 years, 8 months ago
1. You have to use the following code:
// your code here

2. The image will be executable depending on the server configuration. Generally, the picture will not be executed through PHP, and will be served as an image.

3. I will check all of that, and post the results here.

4. You also need to deactivate file_auto_rename, as following:
$handle->file_overwrite  = TRUE;
$handle->file_auto_rename  = FALSE;
Reply
Re: mime checking v24 new!
by colin, 16 years, 8 months ago
First, you should try to use the 0.25 RC1, that you can find here.

I don't have enough time just right now to check the issue you describe, but I will so so ASAP, and let you know.

In the meantime, feel free to paste your code here.Reply
Re: mime checking v24 new!
by rr1024, 16 years, 8 months ago
Never mind, the error was on my side I some how had called the upload twice and the second time it had no parameters set!!!

;-)Reply
Re: mime checking v24 new!
by colin, 16 years, 8 months ago
So you mean that the upload was rightfully refused if you tried to disguise the PHP script as an image?

Could you paste here the logs of the class you get after processing the file? You can just echo $handle->logReply
Re: mime checking v24 new!
by rr1024, 16 years, 8 months ago
No once I remove the extra process with no set up the class refused the file upload like it was suppose to...even tried a few other tricky things and the class refused to upload anything that was not in the mime list.
Basically I had two calls in my function to do Process
2X of the following
//copy to upload dir
$handle->Process( $ImageArr['ImgPath']  );
One was further down in my code so what was happening is when I would upload a real image it actually was uploading it twice and applying all the setups to one but not the other in the second Process...

The class is solid!!! no worries, I even tried a few other things.
Sorry it was my mistake... ;-) happens when working late...LOLReply
Re: mime checking v24 new!
by colin, 16 years, 8 months ago
Pleasure.

It is good anyway, since it tests the class even more. All feedback is useful.Reply