CodeIgniter upload class question.

[eluser]Dentafrice[/eluser]
Not sure if this is the correct section, please move it if it isn't.

I own a semi-popular image uploading site (TehUpload [http://www.tehupload.com]) and have recently been "playing around" with CI.

I had a feeling it would save me a ton of time when developing my site, and I was right.

The thing is, the upload class doesn't "securely" check the image as I would like.

You can easily mismatch the filename VIA the request (bla.jpg -> bla.php, and keep the content-type header) and it will easily upload the .php file.

Will the upload class be improved to check the extension AS WELL as the file's integrity, not just the information supplied by the browser/user?

[eluser]Henry Weismann[/eluser]
It is my understanding that you CAN limit the accepted file extensions by sending a config variable to the file upload class upon initialization:

Code:

$config['upload_path'] = './uploads/';
        $config['allowed_types'] = 'gif|jpg|png';
        $config['max_size']    = '100';
        $config['max_width']  = '1024';
        $config['max_height']  = '768';
        
        $this->load->library('upload', $config);

The allowed types above says it only allows gif,jpg and png. Is this what you did and it didn't work?

[eluser]Dentafrice[/eluser]
Yes.. I have done that.

The problem is, that the entire Upload Class, from my understanding, ONLY checks the information provided by the browser/file.

Meaning if the header: content-type is image/png, that's all that matters.. you can easily have an image/png "headered" file, and have an extension ".php", and it uploads.

I know that if it's stored out of sight, then it's not as big of a problem, but when you want to limit allowed_types to gif, jpg, png.. then that's what you want..

You don't want .php, .anything files stored..

Hopefully I'm getting the point across

[eluser]Henry Weismann[/eluser]
Yeah, I get it. I guess they could put a mime type check in the function that checks the file extension too but the user could bypass that as well with a little more knowledge.

I have never used the file upload class but it should check the file name after the file is uploaded. I don't see how the user can modify it after upload...if it doesn't check it using the file name in the files array that seems wierd.

I guess if you allow your users to rename a file then even if it is named .jpg they could rename it to .php and run it. But if you dont allow renaming to an executable file they should not be able to run a .jpg file as a php file even if it has php code in it. If you want to check the mime type I would create a file upload sub class in your libraries folder and override the right function and add the mime checking functionality.

[eluser]Dentafrice[/eluser]
I guess they what?

I'm having a little trouble extending the CI_User class, hmm. Might be doing it wrong..

Code:

class MY_Upload extends CI_Upload {

}

That's the correct way, correct?

[eluser]Henry Weismann[/eluser]
Yeah..I was editing my post after I figured out what you were saying in more detail.

[eluser]Henry Weismann[/eluser]
Yes that looks right to me and it should be in your libraries folder named MY_Upload.php. If it doesn't work check and make sure you didn't change the sub class prefix in the config file.

[eluser]helmutbjorg[/eluser]
I use the image upload class at verot.net
Not sure if it does what you're talking about but it is pretty thorough. And can easily be used with CI.

[eluser]Henry Weismann[/eluser]
Also...that looks like your extending the CI_Upload class not the CI_user class if there is one.