How to check PHP File Upload if file doesn't have extension?

Question

Following this thread: PHP file upload: mime or extension based verification? I assume that I need to check the file extension of the file that I am uploading, correct?

I am trying to upload a binary file that results from a make file into a Raspberry using a PHP Interface.

This is the file in question:

Big_ppd_display_try1: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped

Following this thread: php check file extension in upload form

I can try:

$allowed =  array('gif','png' ,'jpg');
$filename = $_FILES['uploaded_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
    echo 'error';
}

But how do I tell PHP to only allow binary files like Big_ppd_display_try1 that have no file extension ?

Also, I am doing the upload from a Linux machine. How will that binary file look like on a Windows PC?

Answer 1

To make sure file has no extension, compare it with null . To check for mime tipe use finfo_ functions:

$filename = $_FILES['uploaded_file']['name'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['uploaded_file']['tmp_name']);
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if ($ext === null && $mime === 'application/octet-stream') {
    //do something
}

Answer 2

We can use file command if you are using linux like as bellow

  $command = "file $_FILES['uploaded_file']['tmp_name']";
  shell_exec($command);

It will return a string like

ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped

You can evaluate the data returning the file type you want with this string.

Answer 3

I assume that I need to check the file extension of the file that I am uploading, correct?

No.

The file extension is an arbitrary part of the "suggested filename" which is entirely under the control of the user . The procedure you should be following is:

1. Inspect the contents of the file as shown in this question .
2. Reject the file if the detected type is not in your allowed list.
3. Generate your own filename to save it to:
   • the extension should be based on the file type determined at step 1
   • the rest of the name might be based on what the user suggested, but should be filtered through a whitelist of allowed characters, eg replacing everything other than letters and numbers with -

Answer 4

I don't know if this is the best resolve but I have ended up checking if the file is an application/octet-stream :

<?php

if (isset($_POST['update_button']) && $_POST['update_button'] == 'Update') {
    if (isset($_FILES['uploaded_file']) &&
        $_FILES['uploaded_file']['error'] === UPLOAD_ERR_OK &&
        $_FILES['uploaded_file']['type'] == "application/octet-stream")
    {
        // print_r($_FILES);
        echo "<br>Successful upload !<br> ";      
    } else {
        echo "<br>File was not uploaded !<br> ";
    }
}

?>

I have ditched checking for file extension or MIME type because I think these can be easily bypassed.

I am now trying to execute the file with a certain argument and check it's response.

This is the code I am working on now:

        $fileTmpPath = $_FILES['uploaded_file']['tmp_name'];
        $fileName = $_FILES['uploaded_file']['name'];
        // echo "<br>$fileTmpPath"."/$fileName<br>";
        $command = "sudo .$fileTmpPath"."/$fileName -argument";
        echo "<br>$command<br>";

        $response = exec($command, $full, $status);
        if($status != 0) {
            echo "<br>Something went wrong<br>";
        } else {
            echo "<br>$response<br>";
        }