php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48344 $_FILES return wrong file type
Submitted: 2009-05-20 11:20 UTC Modified: 2009-05-20 12:28 UTC
From: danymoussa at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.9 OS: Centos 5
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2009-05-20 11:20 UTC] danymoussa at gmail dot com 
Description:
------------
This is a very serious problem that i never faced in php earlier version. However i tried to hack into my jpg-upload-image script and was able to do that by inserting a renamed shell script: pic1.php.jpg

Reproduce code:
---------------
<form action="upload.php" method="post"  enctype="multipart/form-data">
	<input type="file" name="file">
	<input type="submit" value="Upload">
</form>

print_r($_FILES);

Expected result:
----------------
      [file] =&gt; Array
        (
            [name] =&gt; pic.php.jpg
            [type] =&gt; image/jpeg
            [tmp_name] =&gt; /tmp/php96MEPH
            [error] =&gt; 0
            [size] =&gt; 23052
        )  

Actual result:
--------------
[file] =&gt; Array
        (
            [name] =&gt; pic.php.jpg
            [type] =&gt; application/octet-stream
            [tmp_name] =&gt; /tmp/php96MEPH
            [error] =&gt; 0
            [size] =&gt; 23052
        )

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-20 11:24 UTC] danymoussa at gmail dot com 
Submission error, flip actual result with expected result
 [2009-05-20 11:33 UTC] carsten_sttgt at gmx dot de 
The Content-Type is set by your browser (or what ever UA you are using for the POST request).

That's the reason for:
Don't trust the "type" in $_FILES. (An UA can set this to every value it want.)

In addition:
If no Content-Type is set by the UA, the default is "application/octet-stream".

Regards,
Carsten
 [2009-05-20 11:37 UTC] danymoussa at gmail dot com 
Thank you, how can i insure no one is uploading shell files to my website? i mean what's the best way to secure it?
 [2009-05-20 11:45 UTC] carsten_sttgt at gmx dot de 
I guess a bug tracker is the wrong place for such questions. e.g. the user mailing list a better place.

(hint: mimetype functions)

Regards,
Carsten
 [2009-05-20 12:28 UTC] jani@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed May 01 06:01:31 2024 UTC