class.upload.php is a powerful and mature PHP class to manage uploaded files, and manipulate images in many ways. The script is available under a GPL license.
Use the latest version of the class. Set the allowed MIME types to only the types that you want. By default, the class should prevent sending unauthorized files. Check if the log produced by the class how the class handles renamed files.Reply
system information - class version : 0.28 - GD version : 2.0.34 - supported image types : png jpg gif bmp - open_basedir : no restriction - language : en_GB source is an uploaded file - upload OK - file name OK determining MIME type - Checking MIME type with Fileinfo PECL extension Fileinfo PECL extension not available - Checking MIME type with UNIX file() command UNIX file() command not availabled - Checking MIME type with mime.magic file (mime_content_type()) MIME type detected as by mime_content_type() - Checking MIME type with getimagesize() getimagesize() failed - MIME type detected as image/jpeg by browser - can't retrieve image information. open_basedir restriction in place? source variables - You can use all these before calling process() file_src_name : haberbot.jpg file_src_name_body : haberbot file_src_name_ext : jpg file_src_pathname : D:\Xampp\tmp\php17AD.tmp file_src_mime : image/jpeg file_src_size : 2084 (max= 67108864) file_src_error : 0 - source file is an image image_src_x : image_src_y : image_src_pixels : image_src_type : jpg image_src_bits : process file to images/haber\ - file size OK - file mime OK : image/jpeg - no image properties available, can't enforce dimension checks : image/jpeg - file name safe format - destination variables file_dst_path : images/haber\ file_dst_name_body : haberbot file_dst_name_ext : jpg - image operation, keep extension - checking for auto_rename - destination file details file_dst_name : haberbot.jpg file_dst_pathname : images/haber\haberbot.jpg - haberbot.jpg doesn't exist already - the file is not an image! - no image processing wanted - process OKReply
Your system is badly configured, and cannot determine the MIME type. Please check your system, and PHP installation so that one of the MIME detection method works.Reply
- Checking MIME type with Fileinfo PECL extension Fileinfo PECL extension not available - Checking MIME type with UNIX file() command UNIX file() command not availabled - Checking MIME type with mime.magic file (mime_content_type()) MIME type detected as by mime_content_type() - Checking MIME type with getimagesize() getimagesize() failed - MIME type detected as image/jpeg by browser
So the class has to rely on what the browser sends as MIME type: image/jpeg, which cannot be trusted.
You need to have either Fileinfo, the unix file command, or mime.magic method working on your server to be able to determine the MIME type securely.Reply
As I say above, you need to have a least one MIME type detection method that works on your server. Either Fileinfo, either unix file, either mime.magic. You may want to use getimagesize() as you indicate, but it is not reliable.
If your server cannot detect MIME types, then you will have to trust the browser, and will not be able to stop malicious files being renamed as pictures for instance.
What operating system are you using? On Unix and MacOS, you should have the file command working. Or you can install the PECL extension Fileinfo. Note that I am not supporting the class when used on Windows.Reply
x.php renamed from x.jpg,
and uploading my host... how to block this file type... thanks.
- class version : 0.28
- GD version : 2.0.34
- supported image types : png jpg gif bmp
- open_basedir : no restriction
- language : en_GB
source is an uploaded file
- upload OK
- file name OK
determining MIME type
- Checking MIME type with Fileinfo PECL extension
Fileinfo PECL extension not available
- Checking MIME type with UNIX file() command
UNIX file() command not availabled
- Checking MIME type with mime.magic file (mime_content_type())
MIME type detected as by mime_content_type()
- Checking MIME type with getimagesize()
getimagesize() failed
- MIME type detected as image/jpeg by browser
- can't retrieve image information. open_basedir restriction in place?
source variables
- You can use all these before calling process()
file_src_name : haberbot.jpg
file_src_name_body : haberbot
file_src_name_ext : jpg
file_src_pathname : D:\Xampp\tmp\php17AD.tmp
file_src_mime : image/jpeg
file_src_size : 2084 (max= 67108864)
file_src_error : 0
- source file is an image
image_src_x :
image_src_y :
image_src_pixels :
image_src_type : jpg
image_src_bits :
process file to images/haber\
- file size OK
- file mime OK : image/jpeg
- no image properties available, can't enforce dimension checks : image/jpeg
- file name safe format
- destination variables
file_dst_path : images/haber\
file_dst_name_body : haberbot
file_dst_name_ext : jpg
- image operation, keep extension
- checking for auto_rename
- destination file details
file_dst_name : haberbot.jpg
file_dst_pathname : images/haber\haberbot.jpg
- haberbot.jpg doesn't exist already
- the file is not an image!
- no image processing wanted
- process OK
- Checking MIME type with Fileinfo PECL extension
Fileinfo PECL extension not available
- Checking MIME type with UNIX file() command
UNIX file() command not availabled
- Checking MIME type with mime.magic file (mime_content_type())
MIME type detected as by mime_content_type()
- Checking MIME type with getimagesize()
getimagesize() failed
- MIME type detected as image/jpeg by browser
So the class has to rely on what the browser sends as MIME type: image/jpeg, which cannot be trusted.
You need to have either Fileinfo, the unix file command, or mime.magic method working on your server to be able to determine the MIME type securely.
if (@getimagesize($handle->file_src_pathname)){echo 'Pass';}else{echo 'Fake';}
If your server cannot detect MIME types, then you will have to trust the browser, and will not be able to stop malicious files being renamed as pictures for instance.
What operating system are you using? On Unix and MacOS, you should have the file command working. Or you can install the PECL extension Fileinfo. Note that I am not supporting the class when used on Windows.