input validation on HTTP_RAW_POST_DATA
Question
I'm using jQuery webcam plugin from xarg.org, this plugin allow to use user webcam thanks to flash application and take snap.
When taking a snap, image is sent to php script for saving image by HTTP_RAW_POST_DATA. The author propose this script:
<?php
$str = file_get_contents("php://input");
file_put_contents("/tmp/upload.jpg", pack("H*", $str));
?>
My problem is the input validation, I don't know how to test data from HTTP_RAW_POST_DATA.
I add this test after the previous script:
$imageOK=true;
$imagesize = getimagesize("views/img/order.jpg");
if(@is_array($imagesize)){
if($imagesize[mime]!="" && $imagesize[mime]=="image/jpeg"){
$imageOK=true;
}
else {
$imageOK=false;
}
} else {
$imageOK=false;
}
if(!$imageOK)
unlink("views/img/order.jpg");
Do you think it is secure? If not, which kind of test can I do?
Thanks
1 answers
solution1
0 2016-11-23 08:44:35
You check the file type with getimagesize() , which is good and secure.
But I don't see on your code any validation of the file size .
The golden rule is to never trust input from the client. So you should check server-side the size of the file.
You can check the Owasp website, which gives some good practices about file upload : https://www.owasp.org/index.php/Unrestricted_File_Upload
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.