That’s why you check to see what kind of file it is by checking the mime type
of the tmp
file? The tmp
file contains the ACTUAL mime type
.
If you were to create a malicious file say malicious_file.php
, write a bunch of garbage in it. Then you upload that file. The original mime type
of that file will be text/html
. Change that malicious file to malicious_file.jpg
or even malicious_file.php.jpg
, and upload it to your uploading system. That original mime type
will be text/html
. The type
of the file extension will be image/jpg
. Do you see what is wrong with this picture? The original mime type
is text/html
, but the type
you are checking against is image/jpg
. The original mime type
will remain the same no matter what. So if I were to change it to malicious_file.xml
, the original mime type
would still be text/html
. However, the type
of the file extension will be application/xml
. This means that the type
of the file extension will always change based on the file extension.
You do not want to do that. What you want to do is check the mime type
of the tmp
file. When you have a legitimate image file, it will always remain image/jpg
, image/jpeg
, image/gif
, or image/png
. This means no matter what, if you change a legitimate image file from good_file.jpg
to good_file.php
, that file will always have the mime type
of image/jpg
if that file is a legitimate image file. It will also fail the function checking the OP has in place because it doesn’t have the right type
of mime type
which is image/jpg
. The file extension shouldn’t matter if the mime type
of the original file is legitimate.
With the system the OP has right now, he is allowing arbitrary files to be uploaded. Not only is this a security hazard, but it is also just pure bad practice. You are also doing double the work to achieve the same result. By just checking the mime type
of the tmp
file, you allow a more secure and safe way of uploading.
Don’t take my word for it. Try this same method on Facebook
, the social media giant who basically hire hundreds of PHP
users who know what they are doing. Not only do they specialize in PHP
, they are always checking for security risks and pay a lot of money for anyone who finds exploits for them.
I dare you to do this method on Facebook
. Create a malicious file and upload it to Facebook
. Then change that file to have .jpg
as the ending file extension. Do you see and wonder why your malicious file won’t go through even though you changed it to .jpg
? That’s because they CHECK for mime type
on the tmp
file. If they were to check the mime type
of the file extension, obviously that would be an exploit anyone can use and hack Facebook
.
People who push support for whitelisting file extensions are the ones that keep this legacy up. This is an entirely dangerous thing to do and would highly likely be an exploit that people can use. I would never suggest whitelisting file extensions nor suggest any kind of system like this. This is pure bad design and outright dangerous.