How does the move_uploaded_file() function help protect against file upload attacks?

J

JackShcherbakov2018-02-16 18:01:46

PHP

JackShcherbakov, 2018-02-16 18:01:46

Hello! I found this example in the php documentation:

<?php
// В PHP 4.1.0 и более ранних версиях следует использовать $HTTP_POST_FILES
// вместо $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "Файл корректен и был успешно загружен.\n";
} else {
    echo "Возможная атака с помощью файловой загрузки!\n";
}

echo 'Некоторая отладочная информация:';
print_r($_FILES);
print "</pre>";

?>

The line is not quite clear:

echo "Возможная атака с помощью файловой загрузки!\n";

How does this feature help protect? I understood from the documentation that this function checks if the file filename is uploaded to the server (transferred via the HTTP POST protocol). If the file is indeed uploaded to the server, it will be moved to the location specified in the destination argument. After all, a hacker can also transfer a file via HTTP POST. In what case will this line be displayed?
Thanks in advance!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

B

Boris Korobkov, 2018-02-16
@BorisKorobkov

This check:
- protects against transferring your config with database passwords to the download folder. For example, with /upload.php?$_FILES[userfile][tmp_name]=../private/config.php&$_FILES[userfile]['name]=public_config.txt
- does not protect against loading a php script instead of a jpg file . This requires other checks and protections.

A

Alexander Aksentiev, 2018-02-16
@Sanasol

https://github.com/php/php-src/blob/13a9a886fa1c10...