How to ensure that an uploaded file is an MS Word document?
I'm thinking of saving uploaded docs to a folder outside the webroot and开发者_JAVA百科 feeding the downloads with a script using readfile(file)
.
However, I'm wondering if the the following would be enough to remove any kind of threats there could be:
$filename = basename($_FILES['uploaded_file']['name']);
$ext = substr($filename, strrpos($filename, '.') + 1);
if (($ext == "doc") && ($_FILES["uploaded_file"]["type"] == "application/msword"))
{
execute rest of the code
}
I've read people recommended using finfo_open()
, but my server is under php 5.3.0 so I can't use it. I've tried using mime_content_type()
but it will always throw me a "text/plain" with any kind of file I send through (I don't know if I'm doing something wrong with that).
Is there anything I could add to make this a more secure process?
One issue you will inevitably come across is that browsers can tag a file's mime-type inappropriately. For example there is a common Firefox bug that can tag most files as application/octet-stream even though the file genuinely is a doc or pdf, or xls file, etc. The 'safest' thing to do is scan the file server side, which should also include a virus check. However if you have limited server access you may not be able to do this.
I've used ClamAv (http://www.clamav.net/lang/en/) in the past to do this.
See http://sourceforge.net/projects/php-clamav/ for more details.
精彩评论