php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48344 $_FILES return wrong file type
Submitted: 2009-05-20 11:20 UTC Modified: 2009-05-20 12:28 UTC
From: danymoussa at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.9 OS: Centos 5
Private report: No CVE-ID: None
 [2009-05-20 11:20 UTC] danymoussa at gmail dot com
Description:
------------
This is a very serious problem that i never faced in php earlier version. However i tried to hack into my jpg-upload-image script and was able to do that by inserting a renamed shell script: pic1.php.jpg

Reproduce code:
---------------
<form action="upload.php" method="post"  enctype="multipart/form-data">
	<input type="file" name="file">
	<input type="submit" value="Upload">
</form>

print_r($_FILES);

Expected result:
----------------
      [file] =&gt; Array
        (
            [name] =&gt; pic.php.jpg
            [type] =&gt; image/jpeg
            [tmp_name] =&gt; /tmp/php96MEPH
            [error] =&gt; 0
            [size] =&gt; 23052
        )  

Actual result:
--------------
[file] =&gt; Array
        (
            [name] =&gt; pic.php.jpg
            [type] =&gt; application/octet-stream
            [tmp_name] =&gt; /tmp/php96MEPH
            [error] =&gt; 0
            [size] =&gt; 23052
        )

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-20 11:24 UTC] danymoussa at gmail dot com
Submission error, flip actual result with expected result
 [2009-05-20 11:33 UTC] carsten_sttgt at gmx dot de
The Content-Type is set by your browser (or what ever UA you are using for the POST request).

That's the reason for:
Don't trust the "type" in $_FILES. (An UA can set this to every value it want.)

In addition:
If no Content-Type is set by the UA, the default is "application/octet-stream".

Regards,
Carsten
 [2009-05-20 11:37 UTC] danymoussa at gmail dot com
Thank you, how can i insure no one is uploading shell files to my website? i mean what's the best way to secure it?
 [2009-05-20 11:45 UTC] carsten_sttgt at gmx dot de
I guess a bug tracker is the wrong place for such questions. e.g. the user mailing list a better place.

(hint: mimetype functions)

Regards,
Carsten
 [2009-05-20 12:28 UTC] jani@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 19:01:27 2024 UTC