Filtering malicious file types for user uploaded content

Question

I am using a simple file upload script. The script allows file type filtering but I am unsure as to what files I should allow/disallow.

What file types should I prevent from being uploaded?

Answer 1

The mime provided in $_FILES is sent from the browser thus it is not safe to trust it. There are other function to determine mime of the file but note, that most of them rely on the file extension. This is a poor way to determine it as I can easily rename .exe to .png and the functions will report that it's an image. I am not sure of your needs but you could limit the script to allow only image files and check if they're really images with imagemagick or gd libraries.

No file is dangerous to server as it is. However, if there is a flaw in the security that would allow to run user files ANY file might be a potential threat.

I suggest not to deny some file types but to allow a couple that users might want to upload.

Answer 2

Found THIS (put in .htaccess):

php_flag engine off

which 'turns off' php, so the file cannot be ran! Then you can allow upload of whatever you want

(thanks to Pekka for link)

Answer 3

Don't make a blacklist. Instead, make a whitelist of the allowed file types.

Answer 4

You should only allow types you need (whitelist). You never know what could change about your server, php, or types of files people can create and what they can do to a server.

It seems there is no reason to possibly sacrifice security in exchange for less type checking.