Newgrounds.com — Everything, By Everyone.

How do I read if the file I'm uploading is a ZIP folder?

http://us3.php.net/zip

You could check the file extension, hope for the client to tell you that it's mimetype is the right one, or actually open the file and make an educated guess based on it's contents.

The ZIP mimetype can be any of these.

application/zip
application/x-zip
application/x-zip-compressed
application/octet-stream
application/x-compress
application/x-compressed
multipart/x-zip

Just make a check against it, like...

$filetype = "application/zip";
if {
$filetype !== $_FILES['data']['type'];
die()
}

At 5/2/09 02:50 AM, Nano256 wrote: http://us3.php.net/zip

Wow, what a useless post.

Open it up and read the file header:
http://www.pkware.com/documents/casestud ies/APPNOTE.TXT

A.  Local file header:

        local file header signature     4 bytes  (0x04034b50)

The way I prefer to check file types is by getting the actual extension itself. Here's how I do it:

<?
//This is what was in the file field, except just the basename (ex. 'image.png')
$file_name = basename($_FILES['data']['name']);

//We need to split the $file_name string apart at any of the periods (.)
$name_exp = explode('.',$file_name);

//In order to be sure we are getting the extension, we reverse the array.
//This ensures that if the name is 'wtf.lol.dude.JPG', 'JPG' will be the first value in the array ([0]).
$name_arr = array_reverse($name_exp);

//We change $file_name to be the first value in the array
$file_name = $name_array[0];

//Create an array with the allowed extensions (use both lower and uppercase)
$files_allowed = ('zip','jpg','pjpeg');

//Check to see if the lowercase AND uppercase versions of the extension are allowed
if(!in_array(strtolower($file_ext),$allowed) && !in_array(strtoupper($file_ext),$allowed)) {
	die('Error: File type selected not allowed.');
}
?>

That's how I do it, and if works very well. Mimetypes alone can be very insecure.

At 5/2/09 05:03 AM, WoogieNoogie wrote:

At 5/2/09 02:50 AM, Nano256 wrote: http://us3.php.net/zip

Wow, what a useless post.

Actually, that was the most useful post so far. If you just use the open method of that class, it'll tell you if it's a zip file for sure...

At 5/2/09 02:23 PM, DFox wrote: Actually, that was the most useful post so far. If you just use the open method of that class, it'll tell you if it's a zip file for sure...

It would be pretty difficult to determine if it was a zip file before it was uploaded with that method.

At 5/2/09 10:04 PM, WoogieNoogie wrote: It would be pretty difficult to determine if it was a zip file before it was uploaded with that method.

Odds are any time you check ANYTHING about a file, it's already "uploaded". Any time the form posts to the page on your server, the file being uploaded is stored in the temp directory. So, any time you use the $_files array, the file is already "uploaded". Since it's on your server already, you might as well check the contents.

At 5/2/09 10:04 PM, WoogieNoogie wrote:

At 5/2/09 02:23 PM, DFox wrote:

It would be pretty difficult to determine if it was a zip file before it was uploaded with that method.

While I could be wrong about this, I believe that script execution begins after all user input has been fully received by the server. Therefore, your upload will be complete before the first line of code ever executes.

At 5/3/09 02:27 AM, VigilanteNighthawk wrote: While I could be wrong about this, I believe that script execution begins after all user input has been fully received by the server. Therefore, your upload will be complete before the first line of code ever executes.

Yeah, that's what DFox was saying as well. I'd just be wary about trying to open the file, honestly.

if(stricmp(substr($filename, strlen($filename) - 4)), ".zip") == 0)
    ....

Why make it more complex than it has to

At 5/4/09 06:04 AM, CronoMan wrote: if(stricmp(substr($filename, strlen($filename) - 4)), ".zip") == 0)
....

Why make it more complex than it has to

Because you might as well use syntax that works and a function that actually exists...

At 5/4/09 08:56 AM, DFox wrote: Because you might as well use syntax that works and a function that actually exists...

You're right, pardon me for forgetting that php has no consistancy at all; obviously stricmp should be strcasecmp for some reason. I ignorantly assumed that strcmp used the same construct as the other case insensitive functions, such as stripos and stristr. MY BAD :P
Additionally, you're right as it should be strlen - 5 because obviously substring is zero-based
If you point out anything else syntactically incorrect (like that I have one paranthese too many), I'll instead describe what point I'm trying to reach :

Extract the 4 last characters of the filename.

I personally don't think it's such a bad idea to assume that a file is a zip-file, if it ends with the string ".zip" - I mean, that's what extensions are for, right?
Elaboration on the subject is here

At 5/4/09 10:49 AM, CronoMan wrote: Extract the 4 last characters of the filename.

But why? What if the extension is 1 character? 2 characters? 3 characters? 4 characters? Then you have a messed up script. So no, that logic wouldn't work. Rather, like other people have suggested in this thread, you would use explode() to get the last part, which has to be the extension, and it doesn't matter how many characters long it is.

So instead of yelling at PHP, learn how to write working, adaptable algorithms first because from this example it doesn't really seem like PHP is the problem.

I personally don't think it's such a bad idea to assume that a file is a zip-file, if it ends with the string ".zip" - I mean, that's what extensions are for, right?

No, it isn't. When you're working with files like exe's, zips, etc, that can actually contain executable/dangerous code, I think you want to know if the file is what the extension says it is. When you're working with jpg's, gifs, pngs, etc, it doesn't really matter if the file integrity isn't there. What's the worst that can happen? An invalid image error?

At 5/4/09 12:02 PM, DFox wrote: No, it isn't. When you're working with files like exe's, zips, etc, that can actually contain executable/dangerous code, I think you want to know if the file is what the extension says it is. When you're working with jpg's, gifs, pngs, etc, it doesn't really matter if the file integrity isn't there. What's the worst that can happen? An invalid image error?

Actually:
http://www.h-online.com/security/Risky-M IME-sniffing-in-Internet-Explorer--/feat ures/112589

At 5/4/09 02:47 PM, elbekko wrote: Actually:
http://www.h-online.com/security/Risky-M IME-sniffing-in-Internet-Explorer--/feat ures/112589

OK, so I guess you want to check the integrity of image files also, although I'm not sure the easiest way to do that. Do you know of any classes for this?

At 5/4/09 03:02 PM, DFox wrote:

At 5/4/09 02:47 PM, elbekko wrote: Actually:
http://www.h-online.com/security/Risky-M IME-sniffing-in-Internet-Explorer--/feat ures/112589

OK, so I guess you want to check the integrity of image files also, although I'm not sure the easiest way to do that. Do you know of any classes for this?

Check this article for one way of doing it: http://www.rorsecurity.info/journal/2009 /2/11/mime-sniffing-in-ie-enables-xss-at tacks.html

At 5/4/09 12:02 PM, DFox wrote:

At 5/4/09 10:49 AM, CronoMan wrote: Extract the 4 last characters of the filename.

But why? What if the extension is 1 character? 2 characters? 3 characters? 4 characters? Then you have a messed up script. So no, that logic wouldn't work. Rather, like other people have suggested in this thread, you would use explode() to get the last part, which has to be the extension, and it doesn't matter how many characters long it is.

I'm going on the assumption that he wanted to check if it were a .zip file. That's 4 characters
If there were less than 4 characters, strcmp would return a negative number, and it wouldn't be a .zip-file
If you want a way to retrieve the extension of any file, you create a function for that
The explode-solution is not viable when there is an easier, and less resource intensive way to do it. Exploding into an array so you can basically just feed the garbage collector with useless junk is a waste, no matter how small and unsignificant it might seem. There's no reason to jump through burning hoops just in order to retrieve the extension of a file

if you instead wrote a function which would retrieve the last occurance of . and then return the portion after that would be alot simpler and more resource friendly

So instead of yelling at PHP, learn how to write working, adaptable algorithms first because from this example it doesn't really seem like PHP is the problem.

I'm not yelling at PHP, you pointed out an obvious inconsistency in PHP - I mistook strcmp to have the same construct as strpos and strstr. Which it doesn't

My "outline" does exactly what the purpose is - it checks to see if the filename ends with .zip, which means it's a zip-file.

I personally don't think it's such a bad idea to assume that a file is a zip-file, if it ends with the string ".zip" - I mean, that's what extensions are for, right?

No, it isn't. When you're working with files like exe's, zips, etc, that can actually contain executable/dangerous code, I think you want to know if the file is what the extension says it is. When you're working with jpg's, gifs, pngs, etc, it doesn't really matter if the file integrity isn't there. What's the worst that can happen? An invalid image error?

Web server's shouldn't try to execute code, nor do I think they can (except CGI of course)

So just checking the extension at first is more than enough - keep it simple

At 5/4/09 03:02 PM, DFox wrote:

At 5/4/09 02:47 PM, elbekko wrote: Actually:
http://www.h-online.com/security/Risky-M IME-sniffing-in-Internet-Explorer--/feat ures/112589

OK, so I guess you want to check the integrity of image files also, although I'm not sure the easiest way to do that. Do you know of any classes for this?

http://no2.php.net/manual/en/book.zip.ph p

At 5/4/09 03:02 PM, DFox wrote:

At 5/4/09 02:47 PM, elbekko wrote: Actually:
http://www.h-online.com/security/Risky-M IME-sniffing-in-Internet-Explorer--/feat ures/112589

OK, so I guess you want to check the integrity of image files also, although I'm not sure the easiest way to do that. Do you know of any classes for this?

You don't need to do anything special apart from giving it the correct extension based on the type getimagesize() says it has. This is still open to attack by badly configured server though.
If you want uber security, run it through GD.

*sigh* this again...

So basically what I have thus yet is:

if($_FILES['file']['type']=='application/zip'&&$_FILES['file']['size']>13333337)
	move_uploaded_file($_FILES['file']['tmp_name'],'./upload/libs/'.$_FILES['file']['name']);

And no matter what file type I upload, I get the same error (coded into it of course): "Incorrect file type; must be a ZIP library"

With the image uploader I made-- same thing, but with image/png and image/gif in it-- it works fine.

That's not the only filetype zip can be.