Following this thread: PHP file upload: mime or extension based verification? I assume that I need to check the file extension of the file that I am uploading, correct?
I am trying to upload a binary file that results from a make file into a Raspberry using a PHP Interface.
This is the file in question:
Big_ppd_display_try1: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped
Following this thread: php check file extension in upload form
I can try:
$allowed = array('gif','png' ,'jpg');
$filename = $_FILES['uploaded_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
echo 'error';
}
But how do I tell PHP to only allow binary files like Big_ppd_display_try1
that have no file extension ?
Also, I am doing the upload from a Linux machine. How will that binary file look like on a Windows PC?
To make sure file has no extension, compare it with null
. To check for mime
tipe use finfo_
functions:
$filename = $_FILES['uploaded_file']['name'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['uploaded_file']['tmp_name']);
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if ($ext === null && $mime === 'application/octet-stream') {
//do something
}
We can use file
command if you are using linux like as bellow
$command = "file $_FILES['uploaded_file']['tmp_name']";
shell_exec($command);
It will return a string like
ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped
You can evaluate the data returning the file type you want with this string.
I assume that I need to check the file extension of the file that I am uploading, correct?
No.
The file extension is an arbitrary part of the "suggested filename" which is entirely under the control of the user . The procedure you should be following is:
-
I don't know if this is the best resolve but I have ended up checking if the file is an application/octet-stream
:
<?php
if (isset($_POST['update_button']) && $_POST['update_button'] == 'Update') {
if (isset($_FILES['uploaded_file']) &&
$_FILES['uploaded_file']['error'] === UPLOAD_ERR_OK &&
$_FILES['uploaded_file']['type'] == "application/octet-stream")
{
// print_r($_FILES);
echo "<br>Successful upload !<br> ";
} else {
echo "<br>File was not uploaded !<br> ";
}
}
?>
I have ditched checking for file extension or MIME type because I think these can be easily bypassed.
I am now trying to execute the file with a certain argument and check it's response.
This is the code I am working on now:
$fileTmpPath = $_FILES['uploaded_file']['tmp_name'];
$fileName = $_FILES['uploaded_file']['name'];
// echo "<br>$fileTmpPath"."/$fileName<br>";
$command = "sudo .$fileTmpPath"."/$fileName -argument";
echo "<br>$command<br>";
$response = exec($command, $full, $status);
if($status != 0) {
echo "<br>Something went wrong<br>";
} else {
echo "<br>$response<br>";
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.