SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot
    Join Date
    Jun 2003
    Location
    New York City
    Posts
    117
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    MP3 Files are Encoded as "application/force-download" by Firefox

    I have a website that allows people to upload sound files. Someone wrote to me saying their MP3 file won't upload. The system was telling them it was not an audio file, but, an "application/force-download" file. They emailed the file to me, and I was able to upload it without a problem as the encoding of the file was correct on my computer (audio/mpeg).

    Apparently this is happening only when this person uses Firefox to upload the files. Has anyone experienced this problem themselves? Why is Firefox changing the encoding of files it is uploading to a website, and why is it encoding them wrong? Is there a way to prevent this from happening?

    Any help would be appreciated!

  2. #2
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    I don't think Firefox is actually encoding anything, it simply sends a content-type header along with the upload.

    A good friend of mine has all Firefox uploads reported as unknown/unknown. We've not yet been able to figure out why it's doing this so unfortunately I don't have a solution for you. Are you using some kind of firewall? Maybe that's interfering with the upload?

  3. #3
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No idea why Firefox would do this. However, I'm assuming this is a problem for your site because you are relying upon $_FILES['userfile']['type'], and that's where you're coming up with the "application/force-download" problem, correct?

    This is precisely the wrong way to validate the uploaded file.

    Why? Because the type is user input - it's set by the browser, and PHP does not make any attempt to verify that (it even explicitly states so in the PHP manual!). Thus I could easily upload trojanvirus.exe to your website and make it take it without even a peep!

    Better would be to check the file extension - if the file ends in .mp3, accept it, elsewise reject it. Then I wouldn't be able to upload trojanvirus.exe to your site. I could rename it to trojanvirus.mp3, but that won't do me any good because it won't ever run unless the poor sap who downloads it renames it to trojanvirus.exe and runs it (or, if the poor sap is in a *nix environment, he sets the execute bit and runs it).
    PHP questions? RTFM
    MySQL questions? RTFM

  4. #4
    SitePoint Zealot
    Join Date
    Jun 2003
    Location
    New York City
    Posts
    117
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Immerse View Post
    Are you using some kind of firewall? Maybe that's interfering with the upload?
    There may be a firewall, could that really cause this to happen?

  5. #5
    SitePoint Zealot
    Join Date
    Jun 2003
    Location
    New York City
    Posts
    117
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kromey View Post
    No idea why Firefox would do this. However, I'm assuming this is a problem for your site because you are relying upon $_FILES['userfile']['type'], and that's where you're coming up with the "application/force-download" problem, correct?

    This is precisely the wrong way to validate the uploaded file.
    Yes, I am using $_FILES['userfile']['type'] to determine the file type. Isn't validating based on the extension only a bit risky? I'm also resizing the photos once uploaded, so, if they upload an Xcel file with an extension of JPG, won't that cause a PHP error when I try to resize a file that is not a JPEG?

    Thanks!

  6. #6
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you're uploading images, do the following checks (in this order):
    1) Check extension. It must be one of .gif, .jpg, .jpeg, .png, etc based on the types you want to accept (easiest method is to build an array of acceptable extensions, then check if the file's extension is in this list).
    2) Use getimagesize on the image. It will return false on error (and will error on almost all non-image files).
    3) Compare the file's extension to that returned by image_type_to_extension (using the proper return value from getimagesize). However, be aware that it will return .jpg when .jpeg is also a valid extension.

    If all of these checks pass, it's most likely an image and you can proceed with the processing. If not, reject the uploaded file.

    Checking the extension only is a lot less dangerous than relying on user input. Also, a virus uploaded as a .jpg or .mp3 is completely impotent without the user who downloads it returns the file to an executable (either by renaming it as a .exe or by setting the execute bit, depending on their environment).
    PHP questions? RTFM
    MySQL questions? RTFM


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •