class.upload.php is a powerful and mature PHP class to manage uploaded files, and manipulate images in many ways. The script is available under a GPL license.
Got it ! system information - class version : 0.29 - operating system : WINNT - PHP version : 5.2.10 - GD version : 2.0.34 - supported image types : png jpg gif bmp - open_basedir : no restriction - language : de_DE source is an uploaded file - upload OK - file name OK determining MIME type - Checking MIME type with Fileinfo PECL extension Fileinfo PECL extension not available - Checking MIME type with UNIX file() command UNIX file() command not availabled - Checking MIME type with mime.magic file (mime_content_type()) mime_content_type() is not available - Checking MIME type with getimagesize() getimagesize() failed - MIME type detected as application/octet-stream by browser - MIME validated as application/octet-stream - Flash may be rewriting MIME as application/octet-stream - Try to guess MIME type from file extension (exe): doesn't look like anything known source variables - You can use all these before calling process() file_src_name : AirFranceTravelDeskFR.exe file_src_name_body : AirFranceTravelDeskFR file_src_name_ext : exe file_src_pathname : D:\www\phpTemp\php9825.tmp file_src_mime : application/octet-stream file_src_size : 3327918 (max= 83886080) file_src_error : 0 process file to modules/Samples/files/SA898/\ - file size OK - file mime OK : application/octet-stream - file name safe format - destination variables file_dst_path : modules/Samples/files/SA898/\ file_dst_name_body : AirFranceTravelDeskFR file_dst_name_ext : exe - no image operation, keep extension - no auto_rename if same filename exists - destination file details file_dst_name : AirFranceTravelDeskFR.exe file_dst_pathname : modules/Samples/files/SA898/\AirFranceTravelDeskFR.exe - no overwrite checking - no image processing wanted - process OKReply
Are you using a Flash uploader? Flash rewrites all MIME types to application/octet-stream, so the class can only rely on the file extension.
I see that none of the MIME detection method are enabled on your server, and you are using a Windows server. So your system cannot determine the MIME type reliably. You should set up your server so that it can detect MIME types, or use a proper operating system for a server (Linux, BSD...)
In any case, the class on your system can only determine the MIME to be application/octet-stream for extensions it doesn't know. exe extensions are not known, so it falls back to application/octet-stream.
You can forbid the MIME application/octet-stream to prevent such files to be uploaded. But then it is really easy to spoof an upload, as in your case the class is forced to rely on the file extension. In other words, whatever you try to do to restrict the MIME types which can be uploaded, you cannot have something secure: just changing the file extension will allow an attacker to upload any file he wants.
My suggestion: use a proper operating system, or at least make sure that MIME detection is enabled on your system. Without this, you will not be able to secure your uploads.Reply
system information
- class version : 0.29
- operating system : WINNT
- PHP version : 5.2.10
- GD version : 2.0.34
- supported image types : png jpg gif bmp
- open_basedir : no restriction
- language : de_DE
source is an uploaded file
- upload OK
- file name OK
determining MIME type
- Checking MIME type with Fileinfo PECL extension
Fileinfo PECL extension not available
- Checking MIME type with UNIX file() command
UNIX file() command not availabled
- Checking MIME type with mime.magic file (mime_content_type())
mime_content_type() is not available
- Checking MIME type with getimagesize()
getimagesize() failed
- MIME type detected as application/octet-stream by browser
- MIME validated as application/octet-stream
- Flash may be rewriting MIME as application/octet-stream
- Try to guess MIME type from file extension (exe): doesn't look like anything known
source variables
- You can use all these before calling process()
file_src_name : AirFranceTravelDeskFR.exe
file_src_name_body : AirFranceTravelDeskFR
file_src_name_ext : exe
file_src_pathname : D:\www\phpTemp\php9825.tmp
file_src_mime : application/octet-stream
file_src_size : 3327918 (max= 83886080)
file_src_error : 0
process file to modules/Samples/files/SA898/\
- file size OK
- file mime OK : application/octet-stream
- file name safe format
- destination variables
file_dst_path : modules/Samples/files/SA898/\
file_dst_name_body : AirFranceTravelDeskFR
file_dst_name_ext : exe
- no image operation, keep extension
- no auto_rename if same filename exists
- destination file details
file_dst_name : AirFranceTravelDeskFR.exe
file_dst_pathname : modules/Samples/files/SA898/\AirFranceTravelDeskFR.exe
- no overwrite checking
- no image processing wanted
- process OK
I see that none of the MIME detection method are enabled on your server, and you are using a Windows server. So your system cannot determine the MIME type reliably. You should set up your server so that it can detect MIME types, or use a proper operating system for a server (Linux, BSD...)
In any case, the class on your system can only determine the MIME to be application/octet-stream for extensions it doesn't know. exe extensions are not known, so it falls back to application/octet-stream.
You can forbid the MIME application/octet-stream to prevent such files to be uploaded. But then it is really easy to spoof an upload, as in your case the class is forced to rely on the file extension. In other words, whatever you try to do to restrict the MIME types which can be uploaded, you cannot have something secure: just changing the file extension will allow an attacker to upload any file he wants.
My suggestion: use a proper operating system, or at least make sure that MIME detection is enabled on your system. Without this, you will not be able to secure your uploads.