stackoom
  简体   繁体   中英

PHP Uploads — Disallow certain extensions bad?

 原文  2013-01-08 16:06:33       php/ file-upload

Question

I have an upload form that i'm working on that will allow up to 300MB.

Our client doesn't want to regulate what files are uploaded since their clients might send a large image file such as a png, tiff, psd, etc.

Would a "disallow" list work better than allow? It moves it to an uploads folder. I have the uploads folder deny all and hide the index in the htaccess along with adding their IP to block and then show a 404 page. This works if they try to access a file directly as well.

I don't want people to upload a .php, .php5, .asp, .exe, etc

Is there a list of files that I can find to disallow files like that, or just write them from scratch?

Sorry for getting off-topic.

Thanks

2 answers

solution1
 3 ACCPTED  2013-01-08 17:04:54

It's best to use an allow list (whitelist) rather than a disallow list (blacklist) for security reasons. Here is a pretty comprehensive array of files and their mimetypes to allow, taken from wordpress: 

array(
    // Image formats
    'jpg|jpeg|jpe' => 'image/jpeg',
    'gif' => 'image/gif',
    'png' => 'image/png',
    'bmp' => 'image/bmp',
    'tif|tiff' => 'image/tiff',
    'ico' => 'image/x-icon',
    // Video formats
    'asf|asx|wax|wmv|wmx' => 'video/asf',
    'avi' => 'video/avi',
    'divx' => 'video/divx',
    'flv' => 'video/x-flv',
    'mov|qt' => 'video/quicktime',
    'mpeg|mpg|mpe' => 'video/mpeg',
    'mp4|m4v' => 'video/mp4',
    'ogv' => 'video/ogg',
    'mkv' => 'video/x-matroska',
    // Text formats
    'txt|asc|c|cc|h' => 'text/plain',
    'csv' => 'text/csv',
    'tsv' => 'text/tab-separated-values',
    'ics' => 'text/calendar',
    'rtx' => 'text/richtext',
    'css' => 'text/css',
    'htm|html' => 'text/html',
    // Audio formats
    'mp3|m4a|m4b' => 'audio/mpeg',
    'ra|ram' => 'audio/x-realaudio',
    'wav' => 'audio/wav',
    'ogg|oga' => 'audio/ogg',
    'mid|midi' => 'audio/midi',
    'wma' => 'audio/wma',
    'mka' => 'audio/x-matroska',
    // Misc application formats
    'rtf' => 'application/rtf',
    'js' => 'application/javascript',
    'pdf' => 'application/pdf',
    'swf' => 'application/x-shockwave-flash',
    'class' => 'application/java',
    'tar' => 'application/x-tar',
    'zip' => 'application/zip',
    'gz|gzip' => 'application/x-gzip',
    'rar' => 'application/rar',
    '7z' => 'application/x-7z-compressed',
    // MS Office formats
    'doc' => 'application/msword',
    'pot|pps|ppt' => 'application/vnd.ms-powerpoint',
    'wri' => 'application/vnd.ms-write',
    'xla|xls|xlt|xlw' => 'application/vnd.ms-excel',
    'mdb' => 'application/vnd.ms-access',
    'mpp' => 'application/vnd.ms-project',
    'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
    'docm' => 'application/vnd.ms-word.document.macroEnabled.12',
    'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
    'dotm' => 'application/vnd.ms-word.template.macroEnabled.12',
    'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
    'xlsm' => 'application/vnd.ms-excel.sheet.macroEnabled.12',
    'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
    'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
    'xltm' => 'application/vnd.ms-excel.template.macroEnabled.12',
    'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12',
    'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
    'pptm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
    'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
    'ppsm' => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12',
    'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template',
    'potm' => 'application/vnd.ms-powerpoint.template.macroEnabled.12',
    'ppam' => 'application/vnd.ms-powerpoint.addin.macroEnabled.12',
    'sldx' => 'application/vnd.openxmlformats-officedocument.presentationml.slide',
    'sldm' => 'application/vnd.ms-powerpoint.slide.macroEnabled.12',
    'onetoc|onetoc2|onetmp|onepkg' => 'application/onenote',
    // OpenOffice formats
    'odt' => 'application/vnd.oasis.opendocument.text',
    'odp' => 'application/vnd.oasis.opendocument.presentation',
    'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
    'odg' => 'application/vnd.oasis.opendocument.graphics',
    'odc' => 'application/vnd.oasis.opendocument.chart',
    'odb' => 'application/vnd.oasis.opendocument.database',
    'odf' => 'application/vnd.oasis.opendocument.formula',
    // WordPerfect formats
    'wp|wpd' => 'application/wordperfect',
    );

If there is anything missing you can add it, but this should cover almost any files they will need to upload, while not allowing any potentially malicious files.

solution2
 0  2013-01-08 16:16:46

You can do something like this once you get the extension: 

$not_allowed = array('php', 'php5', 'exe');

if(in_array($extension, $not_allowed)){
    echo 'File not allowed';
}else{
    echo 'File allowed';
}

Or, the opposite: 

$allowed = array('doc', 'pdf', 'docx');

if(in_array($extension, $allowed)){
    echo 'File allowed';
}else{
    echo 'File not allowed';
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question remove and disallow extensions with .htaccess how to check for certain extensions in php php zipArchive unzip only certain extensions Listing certain extensions in PHP Dir List Disallow * in php Search Disallow variable overwrite in PHP PHP htaccess - allow disallow Disallow running php file PHP: search recursively for specific file extensions, exclude certain directories How to check if PHP web server has certain extensions?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM