PHP Classes

checking the file extension

Recommend this page to a friend!

      PHP Classes blog  >  PHP security exploit ...  >  All threads  >  checking the file extension  >  (Un) Subscribe thread alerts  
Subject:checking the file extension
Summary:Is checking the file extesion enough to protect against attacts
Date:2007-06-20 08:38:03
Update:2007-06-20 09:59:04

  1. checking the file extension   Reply   Report abuse  
Picture of ed ed - 2007-06-20 09:54:47
I know that only checking the file extension is not enough to make sure the file that was uploaded is really that type of file. But if uploaded files would be handled according to their extension, would that still make an attack possible?

User uploads .jpg/.gif/.png file full of valid php code. But because these are supposed to be images, I only call them using src="". Would that still leave holes uncovered?

Thanks for the great post!

  2. Re: checking the file extension   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2007-06-20 09:59:04 - In reply to message 1 from ed
All depends on how you serve the images. If you just use a URL that makes the Web server serve the images as images because the extension is correct, there is no problem.

The problem occurs when you preserve the original file name and that is .php or equivalent.

Also, you should avoid serving images from PHP scripts using require or include.