+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: FileUpload only check for extension? (/showthread.php?tid=15508)
FileUpload only check for extension? - El Forum - 02-06-2009
[eluser]FernandoMM[/eluser]
Hello,
I'm using code igniter upload library and have set allowed_types with the following code:
Code:
$config['allowed_types'] = 'jpg|jpeg|gif|png';But if i rename a .exe file do .jpg i can upload it. Code Igniter doesn't show any errors.
Does it only check for file extensions? Can't i check the mime of the uplodaed file?
FileUpload only check for extension? - El Forum - 02-06-2009
[eluser]therealmaloy[/eluser]
@FernandoMM
check this helper, look at the manual->file upload...
$this->upload->data()
this will return an associative array, look for the index "is_image" this solves the problem.... if you are still not contented..
look at the php function (alternative)
//check if its image file
if (!getimagesize($_FILES['imagefile']['tmp_name']))
{ echo "Invalid Image File...";
exit();
}
FileUpload only check for extension? - El Forum - 02-06-2009
[eluser]FernandoMM[/eluser]
[quote author="therealmaloy" date="1233980978"]@FernandoMM
check this helper, look at the manual->file upload...
$this->upload->data()
this will return an associative array, look for the index "is_image" this solves the problem.... if you are still not contented..
look at the php function (alternative)
//check if its image file
if (!getimagesize($_FILES['imagefile']['tmp_name']))
{ echo "Invalid Image File...";
exit();
}[/quote]
Thanks for the reply. I have tried that and it seens to be working.
Do you think i should report this as a bug at CI's bugtracker? Because from what i tested it seens to be testing only the extension which is something really unreliable.
FileUpload only check for extension? - El Forum - 02-06-2009
[eluser]FernandoMM[/eluser]
Just to add something if someone also have this problem. What worked to me was getimagesize(), checking if "is_image" is 1 or 0 didn't worked because CI wrongly identify an EXE with a jpg extension as an image.
FileUpload only check for extension? - El Forum - 02-07-2009
[eluser]therealmaloy[/eluser]
@FernandoMM
the normal http uploading procedures just check for filenames not the real contents inside...
good that it solved your problems, this case in my opinion need not be put to attention to the CI crew, guess they got more things to attend to rather than this... this is more on our ways of dealing with uploads from our site users.
FileUpload only check for extension? - El Forum - 02-07-2009
[eluser]FernandoMM[/eluser]
[quote author="therealmaloy" date="1234034315"]@FernandoMM
the normal http uploading procedures just check for filenames not the real contents inside...
good that it solved your problems, this case in my opinion need not be put to attention to the CI crew, guess they got more things to attend to rather than this... this is more on our ways of dealing with uploads from our site users.[/quote]
Actually i have always checked for MIME which is a pretty secure way to check if a file is the same of what its extension represents.
Even the simplest PHP upload tutorials ask you to check MIME. In my case, i have a upload site for images and people were uploading .exe files, most of them virus and trojans.
I guess this can be considered a security bug in CI since from what i have seen on this forum most of the users believe that checking with CI is secure.
Thanks for your answers. Have a nice weekend!
FileUpload only check for extension? - El Forum - 02-09-2009
[eluser]simshaun[/eluser]
You can't rely on only the MIME, as it is passed by the browser, and therefore easily faked.
FileUpload only check for extension? - El Forum - 02-27-2009
[eluser]Steven_W[/eluser]
[quote author="simshaun" date="1234242846"]You can't rely on only the MIME, as it is passed by the browser, and therefore easily faked.[/quote]
from what I understand checking the file extension is actually safer than the MIME.
http://www.scanit.be/uploads/php-file-upload.pdf
Does anybody know if the upload class looks at the extension at all?