{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 该账号已被封号 的问题《How can I determine a file's true extension/ty》','https://www.manongdao.com/q-80517.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am working on a script that will process user uploads to the server, and as an added layer of security I'd like to know:
Is there a way to detect a file's true extension/file type, and ensure that it is not another file type masked with a different extension?
Is there a byte stamp or some unique identifier for each type/extension?
I'd like to be able to detect that someone hasn't applied a different extension onto the file they are uploading.
Thank you,
Others have already mentioned FileInfo, which I think is the correct solution, but I'll add this just in case you can't use that one for some reason. Most (all?) *nix distros include a command called
filethat when run on a file will output its type. It has a switch to output in human readable format (default) or the MIME type. You could have your script invoke this program on the uploaded file and read the result. Again, this is not the preferred approach. If you're on Windows, this utility is available through Cygwin.Executables in general have a "signature" on the first bytes; I find it hard though to really ascertain what the file type really is.
What file types do you expect? Maybe you could check that it conforms to what you expect and reject everything else.
PHP has a superglobal $_FILES that holds information like size and file type. It looks like the type is taken form some sort of a header, not an extension, but I may be wrong.
There is an example of it on w3schools site.
I am going to test if it is can be tricked when I get a chance.
UPDATE:
Everyone else probably knew this, but $_FILES can be tricked. I was able to determine it this way:
It basically uses Unix's file command. There are probably better ways, but I haven't used PHP in a while. I usually avoid using system commands if possible.
PHP has a couple of ways of reading file contents to determine its MIME type, depending on which version of PHP you are using:
Have a look at the Fileinfo functions if you're running PHP 5.3+
Alternatively, check out mime_content_type for older versions.
Note that just validating the file type isn't enough if you want to be truly secure. Someone could, for example, upload a valid JPEG file which exploits a vulnerability in a common renderer. To guard against this, you would need a well maintained virus scanner.