Reputation: 836
Can I fake uploaded image filesize?
I'm building a simple image file upload form. Programmatically, I'm using the Laravel 5 framework. Through the Input facade (through Illuminate), I can resolve the file object, which in itself is an UploadedFile (through Symfony).
The UploadedFile's API ref page (Symfony docs) says that
public integer | null getClientSize()
Returns the file size. It is extracted from the request from which the file has been uploaded. It should not be considered as a safe value. Return Value integer|null The file size
- What will be these cases where the uploaded filesize is wrongly reported?
- Are there known exploits using this?
- How can the admin ensure this is detected (and hence logged as a trespass attempt)?
Upvotes: 2
Views: 1203
Answers (1)
Reputation: 617
That method is using the "Content-Length" header, which can easily be forged. You'll want to use the easy construct $_FILES['myfile']['size']. As an answer to another question has already stated: Can $_FILES[...]['size'] be forged?
This value checks the actual size of the file, and is not modified by the provided headers.
If you'd like to check for people misbehaving, you can simply compare the content-length header to your $_FILES['myfile']['size'] value.
Upvotes: 1
Related Questions
- Laravel - get size from uploaded file
- Laravel Uploading Image with small file size and big file size
- Limit the image size on laravel request post
- Laravel filesize of a pictures that is uploaded
- How to upload large size image by Intervention Image in Laravel 5
- Check upload file validation -Laravel
- how to check image dimensions before upload in laravel 4
- Laravel and Intervention - How to disallow upload of big images
- Validating fileupload(image Dimensions) in Backend Octobercms
- Laravel - How validate max size of an image that exceed upload_max_filesize directive