Backend MIME-Type Check of Filetypes + Frontend Message

beeja

Hi,

i searched a lot for a solution of checking the mimetypes before uploading, but i didnt find any complete code so i coded a own solution.
the fileext is too easy to bypass, so you should check the mimetypes of the files.

i edited the backend uploadify.php as follows:


// Erlaubte Dateitypen
	$allowedmimetypes = array("application/x-rar", "application/zip", "image/jpeg", "image/png", "audio/mpeg", "application/pdf", "video/x-msvideo");
	
	// MIME Typ bestimmen
	$finfo = finfo_open(FILEINFO_MIME_TYPE);
	$filemimetype = finfo_file($finfo, $tempFile);
	finfo_close($finfo);
			
	// Nur wenn MIME Typ erlaubt ist Datei in den Uploadordner verschieben
	if (in_array($filemimetype, $allowedmimetypes)) {
		move_uploaded_file($tempFile,$targetFile);
	}
	else {
		// Q: Wie an Skript übergeben dass Fehler ausgegeben werden soll ?
		// A: Per Javascript Dateiendung überprüfen als Workaround zusätzlich zu Backend MIME Typ Kontrolle
	}
	echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);

To avoid the upload if the file is not allowed i used the javascript in the .php file where the form is located:


		$(document).ready(function() {
			$('#file_upload').uploadify({
				'uploader'  : '/uploadify/uploadify.swf',
				'script'    : '/uploadify/uploadify.php',
				'cancelImg' : '/uploadify/cancel.png',
				'folder'    : '/Upload',
				'auto'      : true,
				'multi'     : true,
				'displayData' : 'speed',
				'sizeLimit'   : 153600000, // 150 MB
				'simUploadLimit' : 2,
				'queueSizeLimit' : 30,
				'removeCompleted': false,
				'onSelect' : function(event,ID,fileObj) {
					var fileName = fileObj.name; // Filename
					var ext = fileName.substring(fileName.lastIndexOf(".")+1,fileName.length); // Extract String after .

					switch (ext) {
						case 'jpg': case 'png': case 'rar': case 'zip': case 'mp3': case 'pdf': case 'avi': // Continue with allowed filetypes
							break;
						default: // Else Stop & Remove Upload from Queue
							//alert('Dateityp ' + ext.toUpperCase() + ' zum Upload nicht freigegeben !');
							if (fileName.length > 20) {
								fileName = fileName.substr(0,20) + '...';
							}
							var byteSize = Math.round(fileObj.size / 1024 * 100) * .01;
							var suffix = 'KB';
							if (byteSize > 1000) {
								byteSize = Math.round(byteSize *.001 * 100) * .01;
								suffix = 'MB';
							}
							$('#file_uploadQueue').append('<div id="file_upload' + ID + '" class="uploadifyQueueItem uploadifyError"><div class="cancel"><a href="javascript:jQuery(\'#file_upload\').uploadifyCancel(\'' + ID + '\')"><img src="/uploadify/cancel.png" border="0"></a></div><span class="fileName">' + fileName + ' (' + byteSize + ' ' + suffix +') - Failed</span><div style="margin-top:5px;color:red">Dateityp ' + ext.toUpperCase() + ' zum Upload nicht freigegeben !</div></div>');
							$jQuery("#uploadify").uploadifyCancel(ID);
							break;
					}
				}
			});
		});

I hope i could help someone with this script.

If someone knows how to get access to the variables of the uploadify.js from the .php file, i would like to get to know.
because i copied some parts of the code to get the rounded filesize etc.

To add a new mimetype which is allowed you have to edit 2 parts of the script. first you have to add the exakt mimetype name in the uploadify.php and also you have to set the case for the fileending in the main php file.

greetings.

[Deleted User]

The user and all related content has been deleted.

jonnyhayes

If you don't have pecl file_info() installed and your host uses UNIX/LINUX:
replace
// MIME Typ bestimmen
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$filemimetype = finfo_file($finfo, $tempFile);
finfo_close($finfo);
with
$filemimetype = system("file -bi $tempFile");

works a charm ..also

else { unlink($tempFile);
// Q: Wie an Skript übergeben dass Fehler ausgegeben werden soll ?
// A: Per Javascript Dateiendung überprüfen als Workaround zusätzlich zu Backend MIME Typ Kontrolle
}
to remove the offending file from you system.

dengine

The solutions above needs PHP version 5.3 or higher. I think both Beeja and Jonnhyhayes made great examples but I had to work with a website running on 5.1 so it required a differen approach. Since I only had to make sure visitors could only upload images I was able to fix the issue with the getimagesize() function. It gives information om the mimitype but only for images. If you're also dealing with PDF etc. you're out of luck. Here's my solution to check for mimi-type:

Be aware that I use some other variablenames so if this may not work if you just copy paste it.

Uploadify version 3 was used for this.


if (!empty($_FILES)) {
	
	$tempfile 	= $_FILES['Filedata']['tmp_name'];
	$targetpath = $targetfolder;
	
	$returnfile = $_FILES['Filedata']['name'];
	$file 		= $_FILES['Filedata']['name'];
	$file 		= utf8_decode($file);
	$file 		= preg_replace("[^a-zA-Z0-9_.-\[\]()]", "", strtr($file, "()áàâãäéèêëíìîïóòôõöúùûüçÁÀÂÃÄÉÈÊËÍÌÎÏÓÒÔÕÖÚÙÛÜÇ% ", "[]aaaaaeeeeiiiiooooouuuucAAAAAEEEEIIIIOOOOOUUUUC__"));
	$file 		= strtolower($file);

	$aux_targetfile = str_replace('//','/',$targetpath);
	$targetfile 	= str_replace('//','/',$targetpath) . $file;

	// check on filetype
	$allowed = array(
		'image/jpeg',
		'image/pjpeg',
		'image/png',
		'image/x-png',
		'image/gif'
	);
		
	$size = getimagesize($tempfile);
	$mime = $size['mime'];	
		
	if (!in_array($mime, $allowed)) {
		$error = 666;
	}
	
	// check on extension
	$allowed = array(
		'.jpg',
		'.jpeg',
		'.gif',
		'.png'
	);
			
	if (!in_array(strtolower(strrchr($returnfile,'.')), $allowed)) {
		$error = 666;
	}
	

	if($error){
		
		echo $error;
		
	}else{

		if(file_exists($targetfile)) {
			while ($ok != true) {
				if(file_exists($targetfile)) {
					$ok = false;
					$rand = rand(1000, 9999);
					$targetfile = $aux_targetfile . $rand . '_' . $file;
				} else {
					$ok = true;
					$file = $rand . '_' . $file;
				}
			}
		}
		
		move_uploaded_file($tempfile,$targetfile);
		
		echo $imagefolder.$file;
	
	}
	
}

Howdy, Stranger!

Categories