Upload file validation, what checks should be added?

A

arctblake2016-06-23 17:48:49

Programming

arctblake, 2016-06-23 17:48:49

0) On the frontend, only allow certain types of files to be uploaded. For comfort, not safety, of course.
On the server:
1) Check the file extension.
2) Check Content-Type.
3) Read the first 512 bytes and throw them into the function that determines the Content-Type of the file. The result should match the second point.
4) Check file size.
Purely in theory, it will be possible to bypass this validation by pushing the script into the middle of the picture, then the extension will match CT too. But then the file itself will be saved on the server, like, for example, alala.jpg, and then it will not be possible to run it as a script, or am I mistaken?
Is this validation enough?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexey, 2016-06-23
@alsopub

Well painted.
It remains to check the absence of this vulnerability - https://forum.antichat.ru/threads/222063/
And you can start the service :)

E

entermix, 2016-06-23
@entermix

Prevent direct execution of files bypassing index.php is not an option?

R

Roman Mirilaczvili, 2016-06-24
@2ord

It is possible to upload a validated file that contains malicious instructions.
Let's say we add code to some parts of a PNG image to exploit vulnerable versions of the system components that process the file.
So in addition to validations, it may also make sense to scan with antiviruses with the latest database updates.
And, in general,
Why File Upload Forms are a Major Security Threat