PHP :: Bug #79635 :: mime_content_type wrong type with proper file

Bug #79635	mime_content_type wrong type with proper file
Submitted:	2020-05-26 08:24 UTC	Modified:	2020-06-01 18:05 UTC
From:	matteo dot gruppi at cyberoo dot com	Assigned:
Status:	Suspended	Package:	Filesystem function related
PHP Version:	Irrelevant	OS:	UNIX
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!

Your email address: MUST BE VALID
Solve the problem: 11 + 14 = ?
Subscribe to this entry?

[2020-05-26 08:24 UTC] matteo dot gruppi at cyberoo dot com

Description:
------------
---
From manual page: https://php.net/function.mime-content-type
---
The mime_content_type() function will return the type of file but only check the first N bytes for the mime type.
Using the mimetype command from command line will return a different type.
The negative scenario is one in which someone creates a malicious file by injecting the first bytes to allow the function to recognize the file as expected (for example as .pdf) but the real type of the file is another.

Test script:
---------------
$file1="real_pdf.pdf";
$file2="real_php.pdf";
$file3="fake_pdf_with_php.pdf";
$finfo = finfo_open(FILEINFO_MIME_TYPE);
echo $file1." mime_content_type: ".mime_content_type($file1)." finfo_file: ".finfo_file($finfo, $file1)." syscall: ".system('/usr/bin/mimetype '.$file1)."\r\n";
echo $file2." mime_content_type: ".mime_content_type($file2)." finfo_file: ".finfo_file($finfo, $file2)." syscall: ".system('/usr/bin/mimetype '.$file2)."\r\n";
echo $file3." mime_content_type: ".mime_content_type($file3)." finfo_file: ".finfo_file($finfo, $file3)." syscall: ".system('/usr/bin/mimetype '.$file3)."\r\n";


Expected result:
----------------
real_pdf.pdf mime_content_type: application/pdf finfo_file: application/pdf syscall: real_pdf.pdf: application/pdf
real_php.pdf mime_content_type: text/x-php finfo_file: text/x-php syscall: real_php.pdf: application/x-php
fake_pdf_with_php.pdf mime_content_type: application/x-php finfo_file: application/x-php syscall: fake_pdf_with_php.pdf: application/x-php


Actual result:
--------------
real_pdf.pdf mime_content_type: application/pdf finfo_file: application/pdf syscall: real_pdf.pdf: application/pdf
real_php.pdf mime_content_type: text/x-php finfo_file: text/x-php syscall: real_php.pdf: application/x-php
fake_pdf_with_php.pdf mime_content_type: application/pdf finfo_file: application/pdf syscall: fake_pdf_with_php.pdf: application/x-php

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-06-01 17:03 UTC] cmb@php.net

I don't think that erroneous results from mime_content_type() and
friends qualify as security issues.  After all, these *try* to
detect the proper mimetype.

[2020-06-01 18:05 UTC] stas@php.net

-Status: Open +Status: Suspended -Type: Security +Type: Bug

[2020-06-01 18:05 UTC] stas@php.net

mime_content_type() does not guarantee secure detection of file type (which doesn't exist anyway - file type is just a guess, same file can be interpreted by different programs in different ways). If you have some specific way in which the function can be improved, please suggest. Otherwise, this is not really actionable.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 16:01:28 2024 UTC