Re: [PHP] is_uploaded_file() security
hi, I think marek's recent message has answered this already, but i also believe that even in the older system where you have form fields like result in global variables like userfile_name etc the global variables don't get populated unless you send the correct enctype. best regards Alexander Mueller wrote: Raditha Dissanayake wrote: Hi, Multipart/form-data sends the entire file, if you don't use that enctype yes, just the file name is sent. best regards I see, but then $_FILES is probably not set. So it wouldnt be necessary to use is_uploaded_file() if one solely uses $_FILES (but should probably nevertheless for any possible bugs - as Marek mentioned). Did I miss anything? Alexander -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Raditha Dissanayake wrote: > > Hi, > Multipart/form-data sends the entire file, if you don't use that enctype > yes, just the file name is sent. > > best regards I see, but then $_FILES is probably not set. So it wouldnt be necessary to use is_uploaded_file() if one solely uses $_FILES (but should probably nevertheless for any possible bugs - as Marek mentioned). Did I miss anything? Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
I tried: Fake: $_FILES superglobal still wasn't poisoned. Alexander Mueller wrote: Raditha Dissanayake wrote: This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) What would happen in this case? The given filename would be passed to the script?! Alexander -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Hi, Multipart/form-data sends the entire file, if you don't use that enctype yes, just the file name is sent. best regards Alexander Mueller wrote: Raditha Dissanayake wrote: This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) What would happen in this case? The given filename would be passed to the script?! Alexander -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Raditha Dissanayake wrote: > > This does not work with multipart/form-data you need www-urlencoded (or > just don't set an enctype attribute in your form) What would happen in this case? The given filename would be passed to the script?! Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
I don't think so. Test this, but I think you can just type /etc/passwd into the file name box (instead of using the "browse" button) and have that value submitted in the form. May be dependent upon the browser on how it's handled, though. This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) Either way, I can still construct a POST to your site using cURL or something to "simulate" sending you a file with a name of a file on your server. So, validate that the file is actually an uploaded file and not a path to something else. That's why the functions exist. ---John Holmes... -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
CPT John W. Holmes wrote: I don't think so. Test this, but I think you can just type /etc/passwd into the file name box (instead of using the "browse" button) and have that value submitted in the form. May be dependent upon the browser on how it's handled, though. You would send your own /etc/passwd to the server. Either way, I can still construct a POST to your site using cURL or something to "simulate" sending you a file with a name of a file on your server. I checked it. I tried phpinfo.php?_FILES[file][tmp_name]=/etc/passwd and $_FILES superglobal was not set. My guess is it is the same for post and cookies. But who knows if this will be the same in PHP7 ;) So, validate that the file is actually an uploaded file and not a path to something else. That's why the functions exist. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
From: "Alexander Mueller" <[EMAIL PROTECTED]> > "Cpt John W. Holmes" wrote: > > > > The user can pass the name of a file on the server. If you're not doing any > > checks and moving or displaying the "file" the user "sent" you, you may end > > up moving, deleting, or displaying any file on your server. > > > > ---John Holmes... > > Thanks John, but only in the case global variables are active (as Marek > mentioned), right? I don't think so. Test this, but I think you can just type /etc/passwd into the file name box (instead of using the "browse" button) and have that value submitted in the form. May be dependent upon the browser on how it's handled, though. Either way, I can still construct a POST to your site using cURL or something to "simulate" sending you a file with a name of a file on your server. So, validate that the file is actually an uploaded file and not a path to something else. That's why the functions exist. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
"Cpt John W. Holmes" wrote: > > The user can pass the name of a file on the server. If you're not doing any > checks and moving or displaying the "file" the user "sent" you, you may end > up moving, deleting, or displaying any file on your server. > > ---John Holmes... Thanks John, but only in the case global variables are active (as Marek mentioned), right? Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Marek Kilimajer wrote: > > By requesting upload_script.php?userfile=/etc/passwd and > upload_sript.php uses global variables to handle uploads. This check > should not be necessery if you are using $_FILES superglobal as php will > not accept _FILES user input. But keep the check there in case a bug > will be introduced. > > Alexander Mueller wrote: Thanks for the explanation Marek. When I fully entered PHP's arena the global variables werent really an issue anymore, therefore I am more familiar with the $_* arrays and wondered about this paragraph. So in the good old days one could access the uploaded file by the name of the input field?! Thanks, Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
From: "Alexander Mueller" <[EMAIL PROTECTED]> > AFAIK the browser only sends the content of the chosen file and cannot > specify in any way a local filename which should be worked on. > Furthermore PHP creates a temporary file containing the uploaded file > content and passes this filename as 'tmp_name' variable. How can then a > "malicious user try to trick the script"? The user can pass the name of a file on the server. If you're not doing any checks and moving or displaying the "file" the user "sent" you, you may end up moving, deleting, or displaying any file on your server. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
By requesting upload_script.php?userfile=/etc/passwd and upload_sript.php uses global variables to handle uploads. This check should not be necessery if you are using $_FILES superglobal as php will not accept _FILES user input. But keep the check there in case a bug will be introduced. Alexander Mueller wrote: Hi, I am wondering about the following paragraph at http://at2.php.net/manual/en/function.is-uploaded-file.php. Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system. AFAIK the browser only sends the content of the chosen file and cannot specify in any way a local filename which should be worked on. Furthermore PHP creates a temporary file containing the uploaded file content and passes this filename as 'tmp_name' variable. How can then a "malicious user try to trick the script"? Thanks, Alexander -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is_uploaded_file() security
Hi, I am wondering about the following paragraph at http://at2.php.net/manual/en/function.is-uploaded-file.php. > Returns TRUE if the file named by filename was uploaded via HTTP POST. > This is useful to help ensure that a malicious user hasn't tried to > trick the script into working on files upon which it should not be > working--for instance, /etc/passwd. > > This sort of check is especially important if there is any chance that > anything done with uploaded files could reveal their contents to the > user, or even to other users on the same system. AFAIK the browser only sends the content of the chosen file and cannot specify in any way a local filename which should be worked on. Furthermore PHP creates a temporary file containing the uploaded file content and passes this filename as 'tmp_name' variable. How can then a "malicious user try to trick the script"? Thanks, Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php