CODEWITHSUNDEEP
phpflashfile-uploadmime-types
resurgens
resurgens

Reputation: 87

Verify an uploaded .FLA isn't malicious

I am working on a PHP-based project management system that allows users to upload a variety of media files. To prevent users from uploading malicious files, the system verifies both the MIME type (using finfo_file) and the extension (using pathinfo) against a whitelist.

This has worked well, with one exception: .FLA (Flash movie authoring) files. Unfortunately, finfo_file can't parse a MIME type for these files. Instead it returns this somewhat misleading error message:

"CDF V2 Document, corrupt: Cannot read summary info"

(I verified the test .FLAs I'm using aren't actually corrupt.)

Obviously checking the extension only is insufficient, since all someone would have to do is give a malicious script an .FLA extension to bypass my safeguards. What else might I do to maximize the chances that an uploaded .FLA file is safe? (The system must support .FLA uploads -- it's non-negotiable.)

Upvotes: 2

Views: 677

Answers (2)

cwallenpoole
cwallenpoole

Reputation: 82048

Can you restrict them to CS5 FLA's? Because those are zip files with fairly simple content. You can call the following:

<?php 
$za = new ZipArchive(); 

$arr = array();
$za->open('D:\\path\\to\\file.fla'); 
for( $i = 0; $i < $za->numFiles; $i++ ){ 
    $stat = $za->statIndex( $i ); 
    $arr[] = $stat['name']; 
} 
?>

That should, give you these (as a minimum):

mimetype
LIBRARY
META-INF
DOMDocument.xml
metadata.xml
PublishSettings.xml
MobileSettings.xml
SymDepend.cache

The catch is that this only works for CS5 and it does not work consistently for files created in CS3 or 4.

Of course, you should make sure that you prevent your server from having anything which can open an Adobe Creative Suite file of any form. and recommend anti-virus to your clientele.

Upvotes: 1

DefconRhall
DefconRhall

Reputation: 293

As I understand it finfo_file just gives you the mime/type which can easily be spoofed or fooled just like you said with an extension change. The better way to handle this is to get a real antivirus solution and install it on your server. The problem there is knowing when the scan is complete or not. You can easily have most antivirus products perform a scan on a file by giving it the right command line parameters, but the real problem is knowing when the scan is done.

Upvotes: 1

Related Questions