Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Security bug ? File Uploading Class - send php file
Security bug ? File Uploading Class - send php file
  • El Forum
    Guest
  •  
#1
04-01-2009, 05:43 AM

[eluser]Neewouay[/eluser]
Hi,

I have a problem with File Uploading Class,

My param : $config['allowed_types'] = 'csv';

If I send a php file (.php) this file is accept...because this "mimi type" of file php is "application/octet-stream"...

In system/application/config/mimes.php, in the line 'csv', the mime type is too "application/octet-stream", that is why the php file is accepted, the class upload apparently does not check the extension.

Is a security bug ?

Sorry for my englsih, I try to do my best Smile

Version of CI : 1.7.1
  • El Forum
    Guest
  •  
#2
04-01-2009, 07:42 AM

[eluser]TheFuzzy0ne[/eluser]
It only checks the mime type. If you want it to check the file extension, then you can override it, but I don't see the point in that. Someone could easily rename a php file to .csv, and the file will be accepted.
  • El Forum
    Guest
  •  
#3
04-01-2009, 01:01 PM

[eluser]louis w[/eluser]
I ran into something similar to this. To solve the problem, I extended the upload class and made a custom is_allowed_filetype which will match the mime (what it does currently) and also match the file extension.

Code:

Code:
class MY_Upload extends CI_Upload {

    var $CI;

    function __construct($props = array()) {
            $this->CI =& get_instance();
            parent::__construct($props);
    }


    /**
     * Verify that the filetype is allowed
     *
     * @access    public
     * @return    bool
     */    
    function is_allowed_filetype() {

            if (count($this->allowed_types) == 0 OR ! is_array($this->allowed_types)) {
                $this->set_error('upload_no_file_types');
                return FALSE;
            }
    
            if ($this->CI->MODULE_CONF['match_mime_to_ext']) {
            
                // This will require that the extension of the file uploaded matches against only the extention's mimes
    
                if (in_array(trim($this->file_ext, '.'), $this->allowed_types)) {

                    $mime = $this->mimes_types(strtolower(trim($this->file_ext, '.')));
    
                    if (is_array($mime) && in_array($this->file_type, $mime, TRUE)) {
                        return TRUE;
                    } else if ($mime == $this->file_type) {
                        return TRUE;
                    }        
                
                }
    
                return FALSE;
            
            } else {
                return parent::is_allowed_filetype();            
            }
        
    }
}
  • El Forum
    Guest
  •  
#4
04-01-2009, 01:02 PM

[eluser]louis w[/eluser]
TheFuzzy0ne, what your missing is if someone renames a .php to .csv, the server is not going to execute it as php, so there is no security risk.

I had to start using the code above because FLV files will quite often have a octet-stream mime. So if i wanted to allow them but now allow csv files, had to also check the extension.




Theme © iAndrew 2016 - Forum software by © MyBB