[eluser]drewbee[/eluser]
Hi everyone,
I am going to be doing something very dangerous dealing with file uploads and zipping. I am basically going to list the precautions that I am taking during the upload process, and the process itself. If there is anything I can further do to increase the security of this, please let me know as this is a very dangerous thing to do, but unfortunately can not be done efficiently any other way.
the process itself involves a user uploading a zip, the zip extracting itself. Then a automated system visits the extracted files taking screen shots (that is the dangerous part as the files will actually be loaded). The files will then be removed.
1. Upload Zip
- File Extension must be .zip, as well as matching mime type of $allowedUploadTypes
2. Extraction process
- Loop through every file in the archive.
- File extension must be in $allowedFileTypes. If it exists, we also must match mime_type
- For files who are not in $allowedFileTypes, we do not extract them.
- All files in the archive are now what they are suppose to be. Extract files to hidden location only accessible by automated system (htaccess block by IP address)
- Unfortunately, this is when we have to do our mime check after the files have been put there as the file can't be checked until extracted. It will be deleted immediately if extension does not match type.
- If any files were removed during the extension to mime_type check, remove it from the archive
- Save the archive to our new location.
3. Auto mated system comes and takes its screen shots.
4. All files are removed by an unbiased, recursive delete everything including directories method. It simply works its way down until everything is gone.
Other stuff:
- .htaccess is set to not allow anything but static content generate. This is specific to the $allowedFileTypes; Anything trying to even be anything else will just fail. IE If someone manages to get a gif uploaded and some how managed to get it renamed to a php file, it will not execute. As well, the directory will only have read / view permissions specifically for the automated system.
- Automated system does not run any kind of javascript/vbscript on html pages.
- Even if a user got access to the hidden directory, htaccess would deny as it only allows the IP address of the automated system in. This address would have to be compromised and masked as a users own to view it. Even at which point, there is only a little window for them to come in and be able to see it (time between upload & when the automation has finished its business of taking screen shots).
mime_type is being determined by dropping into the shell using the following approach:
i know this is a bit of a mess, but if anything else can be done, I would appreciate i
[eluser]drewbee[/eluser]
Code: $mime = trim(shell_exec(escapeshellcmd ("file -bi " . $file)));
$mime = explode(" ", $mime);
return strtolower(preg_replace('/[^_a-zA-Z0-9-\+\/]/i', '', $mime['0']));
Mime Type and file extension definition.
Code: private $allowedUploadTypes = array('zip' => array('application/zip','application/x-zip','application/x-zip-compressed','application/octet-stream','application/x-compress','application/x-compressed','multipart/x-zip'));
private $allowedFileTypes = array('gif' => array('image/gif','image/x-xbitmap','image/gi_'),
'jpg' => array('image/jpeg','image/jpg','image/jp_','image/pjpeg ','image/pipeg','image/vnd.swiftview-jpeg','image/x-xbitmap'),
'jpeg' => array('image/jpeg','image/jpg','image/jp_','image/pjpeg ','image/pipeg','image/vnd.swiftview-jpeg','image/x-xbitmap'),
'pjpeg' => array('image/jpeg','image/jpg','image/jp_','image/pjpeg ','image/pipeg','image/vnd.swiftview-jpeg','image/x-xbitmap'),
'jfif' => array('image/jpeg','image/jpg','image/jp_','image/pjpeg ','image/pipeg','image/vnd.swiftview-jpeg','image/x-xbitmap'),
'png' => array('image/png','application/png','application/x-png'),
'tif' => array('image/tif','image/x-tif','image/tiff','image/x-tiff','application/tif','application/x-tif','application/tiff','application/x-tiff'),
'tiff' => array('image/tif','image/x-tif','image/tiff','image/x-tiff','application/tif','application/x-tif','application/tiff','application/x-tiff'),
'pdf' => array('application/pdf','application/x-pdf','application/acrobat','applications/vnd.pdf','text/pdf'),
'html' => array('text/html', 'text/plain'),
'htm' => array('text/html', 'text/plain'),
'txt' => array('text/plain','application/txt','browser/internal','text/anytext','widetext/plain','widetext/paragraph','text/x-pdf'),
'swf' => array('application/x-shockwave-flash','application/x-shockwave-flash2-preview','application/futuresplash','image/vnd.rn-realflash'),
'fla' => array('application/octet-stream'),
'js' => array('application/x-javascript','text/javascript'),
'css' => array('text/css','application/css-stylesheet'),
'ico' => array('image/ico','image/x-icon','application/ico','application/x-ico','application/x-win-bitmap','image/x-win-bitmap'),
'doc' => array('application/msword','application/doc','appl/text','application/vnd.msword','application/vnd.ms-word','application/winword','application/word','application/x-msw6','application/x-msword','zz-application/zz-winassoc-doc')
);
|
