How To Block Fake image Files

See all posts Reply

How To Block Fake image Files new!
by Yavuz, 15 years ago
hi,

x.php renamed from x.jpg,

and uploading my host... how to block this file type... thanks.Reply
Re: How To Block Fake image Files new!
by colin, 15 years ago
Use the latest version of the class. Set the allowed MIME types to only the types that you want. By default, the class should prevent sending unauthorized files. Check if the log produced by the class how the class handles renamed files.Reply
Re: How To Block Fake image Files new!
by Yavuz, 15 years ago
Here my Codes : But Dont Work.

if ($handle->uploaded){	
  $handle->allowed 		= array('image/jpeg','image/gif','image/png');
  $handle->file_safe_name	= true; 
  $handle->mime_check		= true; 
  $handle->mime_magic_check	= true;
  $handle->mime_getimagesize	= true;		
  $handle->no_script		= true; 
  $handle->file_overwrite	= false;
  $handle->image_resize		= true;
  $handle->image_ratio_y	= true;
  //..........
}
Reply
Re: How To Block Fake image Files new!
by colin, 15 years ago
Can you copy here the log produced by the class? I cannot do anything without the log.Reply
Re: How To Block Fake image Files new!
by Yavuz, 15 years ago
system information
- class version : 0.28
- GD version : 2.0.34
- supported image types : png jpg gif bmp
- open_basedir : no restriction
- language : en_GB
source is an uploaded file
- upload OK
- file name OK
determining MIME type
- Checking MIME type with Fileinfo PECL extension
Fileinfo PECL extension not available
- Checking MIME type with UNIX file() command
UNIX file() command not availabled
- Checking MIME type with mime.magic file (mime_content_type())
MIME type detected as by mime_content_type()
- Checking MIME type with getimagesize()
getimagesize() failed
- MIME type detected as image/jpeg by browser
- can't retrieve image information. open_basedir restriction in place?
source variables
- You can use all these before calling process()
file_src_name : haberbot.jpg
file_src_name_body : haberbot
file_src_name_ext : jpg
file_src_pathname : D:\Xampp\tmp\php17AD.tmp
file_src_mime : image/jpeg
file_src_size : 2084 (max= 67108864)
file_src_error : 0
- source file is an image
image_src_x :
image_src_y :
image_src_pixels :
image_src_type : jpg
image_src_bits :
process file to images/haber\
- file size OK
- file mime OK : image/jpeg
- no image properties available, can't enforce dimension checks : image/jpeg
- file name safe format
- destination variables
file_dst_path : images/haber\
file_dst_name_body : haberbot
file_dst_name_ext : jpg
- image operation, keep extension
- checking for auto_rename
- destination file details
file_dst_name : haberbot.jpg
file_dst_pathname : images/haber\haberbot.jpg
- haberbot.jpg doesn't exist already
- the file is not an image!
- no image processing wanted
- process OKReply
Re: How To Block Fake image Files new!
by colin, 15 years ago
Your system is badly configured, and cannot determine the MIME type. Please check your system, and PHP installation so that one of the MIME detection method works.Reply
Re: How To Block Fake image Files new!
by Yavuz, 15 years ago
MIME works but i cant stop file transfer...Reply
Re: How To Block Fake image Files new!
by colin, 15 years ago
Mime doesn't work on your system

- Checking MIME type with Fileinfo PECL extension
Fileinfo PECL extension not available
- Checking MIME type with UNIX file() command
UNIX file() command not availabled
- Checking MIME type with mime.magic file (mime_content_type())
MIME type detected as by mime_content_type()
- Checking MIME type with getimagesize()
getimagesize() failed
- MIME type detected as image/jpeg by browser


So the class has to rely on what the browser sends as MIME type: image/jpeg, which cannot be trusted.

You need to have either Fileinfo, the unix file command, or mime.magic method working on your server to be able to determine the MIME type securely.Reply
Re: How To Block Fake image Files new!
by Yavuz, 15 years ago
i can use this method?

if (@getimagesize($handle->file_src_pathname)){echo 'Pass';}else{echo 'Fake';}Reply
Re: How To Block Fake image Files new!
by colin, 15 years ago
As I say above, you need to have a least one MIME type detection method that works on your server. Either Fileinfo, either unix file, either mime.magic. You may want to use getimagesize() as you indicate, but it is not reliable.

If your server cannot detect MIME types, then you will have to trust the browser, and will not be able to stop malicious files being renamed as pictures for instance.

What operating system are you using? On Unix and MacOS, you should have the file command working. Or you can install the PECL extension Fileinfo. Note that I am not supporting the class when used on Windows.Reply