Thread: [mod-security-users] Validation type of upload files

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] Validation type of upload files

From: Jochen K. <deb...@fr...> - 2005-02-22 21:18:14

I have a PHP-form running at

 http://127.0.0.1/xxx.xxx/upload/upload.php

with a file-selection field.

All the date ist transmitted to

http://127.0.0.1/noeinfo.noe.de/upload/do_upload.php

Now I wan't to allow only image-files to be uploaded.
But the following does not work:

    <Location /var/www/noeinfo.noe.de/upload/upload.php>
            SecFilterInheritance Off
            SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
    </Location>

What's wrong here?

Thanx


-- 
Jochen Kaechelin

Re: [mod-security-users] Validation type of upload files

From: Ivan R. <iv...@we...> - 2005-02-22 23:27:34

Jochen Kaechelin wrote:
> I have a PHP-form running at
> 
>  http://127.0.0.1/xxx.xxx/upload/upload.php
> 
> with a file-selection field.
> 
> All the date ist transmitted to
> 
> http://127.0.0.1/noeinfo.noe.de/upload/do_upload.php
> 
> Now I wan't to allow only image-files to be uploaded.
> But the following does not work:
> 
>     <Location /var/www/noeinfo.noe.de/upload/upload.php>
>             SecFilterInheritance Off
>             SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
>     </Location>
> 
> What's wrong here?

   That cannot work for several reasons. First, the content type
   transported with the file is client-generated and can be
   faked.

   ModSecurity will not give you access to the raw request body
   when multipart/form-data is used, because it doesn't make
   sense. It is trivial to bypass any type of regular expression.
   Also, regular expressions would most likely not work because
   of the binary content.

   So what you actually get with POST_PAYLOAD and multipart/form-data
   is a simulated application/x-www-form-urlencoded body.

   To restrict file uploads you have the following options:

   1) Use an approver script

      1a) If filtering using the extension is good enough for you
          I am pretty sure the temporary file you get in the
          approver script will have the same extension as the
          original (sorry, I can't check at the moment).

      1b) You don't have to rely on the extension -- you can have
          a "smart" script figure out the actual content of the
          file. Something like the "file" tool.

   2) In 1.9.x there is the FILE_NAMES variable that allows
      filtering using the name of the file.

-- 
Ivan Ristic (http://www.modsecurity.org)

Re: [mod-security-users] Validation type of upload files

From: Troy A. <tr...@ze...> - 2005-02-23 02:28:09

On Tue, Feb 22, 2005 at 11:33:08PM +0000, Ivan Ristic wrote:
> Jochen Kaechelin wrote:
> >
> >Now I wan't to allow only image-files to be uploaded.
> >But the following does not work:
> >
> >    <Location /var/www/noeinfo.noe.de/upload/upload.php>
> >            SecFilterInheritance Off
> >            SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
> >    </Location>
> >
> >What's wrong here?
> 
>   To restrict file uploads you have the following options:
> 
>   1) Use an approver script
> 
>      1a) If filtering using the extension is good enough for you
>          I am pretty sure the temporary file you get in the
>          approver script will have the same extension as the
>          original (sorry, I can't check at the moment).
> 
>      1b) You don't have to rely on the extension -- you can have
>          a "smart" script figure out the actual content of the
>          file. Something like the "file" tool.

This is slightly OT, but see the poorly named 'getimagesize()' php
function: 
http://www.php.net/manual/en/function.getimagesize.php

It returns an array of information about the given file, including its
image type.  It's safe to say that if it doesn't have a type and size,
then it's not a valid image file.

-troy