Secure File Upload and validating it

Question

I get Video uploads and image uploads:

My environment: LAMP

EDIT: I will allow remote upload and POST video upload

EDIT2: The files which i get will be renamed i wont store the orginal file names.

1. First I check with $_FILES the mime type.

2. Second I check with finfo_file (if function exists) the mimetype again ( PHP 5.3 ) or with shell command file.

3. File gets moved to public dir if its passed the above checks.

My question is this setup secure? Or can I improve something? I read the hole day yesterday this seems for me enough, but who knows:)

I'm a novice when it comes coding and security:-)

Answer 1

I can also recommend the followings:

1. is_uploaded_file Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.

2. basename() function to get only file name such as basename(c:/fakepath/something.avi); // will return something.avi basename(c:/fakepath/something.avi); // will return something.avi since some people try to deceive the computer by giving directory-alike file names.

More about basename() :

When you upload a file, you want to move a file to the directory you want for example under /uploads/ folder and but a malicious user can name the file such as something/hello.jpg and then when you move the file with move_uploaded_file($source,$destionation) your $destination would be /uploads/something/hello.jpg and that causes problems. To ensure you got only the proper file name you need to use basename() function which returns hello.jpg and so on.

$file_name = basename($_FILES["upload_ctrl"]["name"]);
if(!move_uploaded_file($_FILES["upload_ctrl"]["tmp_name"],"uploads/".$file_name))
    echo "Opps I cannot upload the file";

For usage of basename visit here: http://php.net/manual/en/function.basename.php

Answer 2

as long as you rename with your own file name and extension, and have no include type vulnerabilities in your apps code (ie: include($_GET['whatever']);), this is fairly good. you will also want to make sure everything on your server stack is the latest version (especially anything that processes images/video).

others would recommend including a file serving script which outputs the file, instead of keeping the file in a public folder and referencing the file directly in your src attributes. some would also recommend virus scanning everything.