Closed
Bug 585880
Opened 14 years ago
Closed 14 years ago
application/type on uploads reported wrong when file extension renamed
Categories
(Firefox :: File Handling, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: adam, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)
This is a critical error in your browser.
I am using PHP5 to perform the following action.
My upload script always checks the mime-type of the file against my own database to ensure the mime-type is allowed (not the extension). The reason being that anyone can rename an extension and potentially run it in the upload destination.
I have a .zip file called "archive.zip" with a load of dodgy files in it.
I rename it so it is called "archive.jpg".
When I upload it and then print the $_FILES array it tells me that the file is of the type image/jpeg and not application/x-zip-compressed (or similar) like it should.
Basically, your browser isn't doing a mime-type check of the file and seems to be just storing a database of extensions and then returning the mime-type that matches it rather than doing it the other way around.
Critical error to me.
Potentially, your browser is letting an executable or PHP,ASP script disguise itself as an image or any other type of common extension so it can be uploaded regardless of the programmers attempt to stop the intrusion.
I do believe this warrants me to some money please.
I hear there are rewards.
I don't get out much so even just a bag of fresh air would be nice.
Just so I can inhale it every now and then and feel like I've gone for a walk in the park (without dog **** in it).
Anyway,
Feel free to email me and ask questions.
To be honest, I can't believe nobody has picked up on this!
Reproducible: Always
Steps to Reproduce:
Create HTML Upload form (multipart)
Rename a .zip file to .jpg or .doc or .anything
On upload, print the $_FILES array
See file being reported as an incorrect type
Actual Results:
Incorrect mime-type reported
Expected Results:
The correct mime-type reported regardless of the file extension.
I'm a good programmer (15 years +) and I don't have a "community" status because all I do is code stuff, got no time for a blog or a facebook account.
You probably didn't want to know all that.
But yes, please check out this bug.
It's so obviously dangerous that I'm baffled.
Or maybe, it's just me and it's working fine for everyone else.
Obviously, I have to take that on board as a possibility.
My other thought was that maybe your browser is using the operating system's own recognition methods as a guide. But that wouldn't explain why IE8 knows the mime-type regardless of extension and your's doesn't.
I even renamed the file to ".doc" and it told me it was an applicate/ms-word :)
Comment 2•14 years ago
|
||
How do you expect the browser to know what the file MIME type is? We only know the MIME type by looking at the file extension and mapping it back to a MIME type.
Your webapp is responsible for validating that it can actually handle the data which is uploaded.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Woah there Benjamin. Calm down. I'm your friend here, not your enemy.
I know my web app can do a double take on the mime-type by running a seperate exec command through linux and is already something I've implemented.
The reason it popped up for me was because I have a tracker that tells me what people are TRYING to do. We have kids renaming files all the time trying to push .exe files in. It popped up in a report when I noticed that initially, the browser upload ($_FILES) said it was an image, but then my check (via linux) reported is as an application. I did a browser check and noticed Internet Explorer already knew it was an application at ($_FILES) stage on upload, yet Firefox/Google didn't.
So I guess the question for you to answer next is...
"Why does Internet Explorer 8 correctly tell me the mime-type of the file regardless of the extension, yet Firefox doesn't".
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
If it's a case that it's just something Internet Explorer can do because it's more in tune with it's own operating system then fair enough. It doesn't bother me either way, helping out was my goal.
Comment 5•14 years ago
|
||
I really don't know how IE decided which MIME type to associate with the file. We could, of course, upload all files as application/octet-stream, but we've decided to use the OS extension->MIME mapping service to guess something better. It's obviously advisory, and not something we're likely to spend more time on.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → INVALID
That's fine Benjamin.
I agree with you on the upload as application/octet-stream.
To be honest, with that method it would force developers (and make them more aware) about the fact that $_FILES[type] should be ignored!!
Thanks, have a good day.
Adam
ps - do I still get a bag of fresh air? :)
You need to log in
before you can comment on or make changes to this bug.
Description
•