Downloads

Google Ad

File Upload Plugin v6.0 Security Released

Date: Wed, Jun 2nd 2010, 16:49 Author: nick Views: 14019 Comments share

CakePHP File Upload Plugin

Info:
Watch:
Get it:
  • Download Now
  • git clone git://github.com/webtechnick/CakePHP-FileUpload-Plugin file_upload

What's new in 6.0


FileUploadPlugin v6.0 is a security release rather than a features release. There are two major changes that you should be aware of.

First, a bug fix -- if a fileNameCallback function returns false the upload will be halted as documented.

Second, I've changed the way the plugin validates a file being uploaded. Previously the uploader only checks the mime type of a file being uploaded. Now the uploader checks the extension as well as the mime type. Both must match or a validation error occurs and the upload halted. This fixes a potential hole that would allow an attacker to alter the mime type of a file to pass in a malicious file with its extension intact. This is an issue as most servers decide how to execute said file by its extension (not mime type).

This new change required a change in how the allowedTypes array is constructed. Previously, allowedTypes was a single layer array full of mime types. Now its a multi dimensional array with extension as its key and their linked mime types as an array.

Some Examples


Example Setting With a Controller:
  1. //validate only image/jpeg and image/pjpeg mime types with ext .jpg
  2. //validate only image/png mime type file with ext .png
  3. //validate all MIME types for ext .gif
  4. //validate all MIME types for ext .swf
  5. //validate only application/pdf for ext .pdf
  6.  
  7. $this->FileUpload->allowedTypes(array(
  8.   'jpg' => array('image/jpeg', 'image/pjpeg'),
  9.   'png' => array('image/png'),
  10.   'gif',
  11.   'swf',
  12.   'pdf' => array('application/pdf'),
  13. ));

Sample In a Behavior
  1. //validate only image/jpeg and image/pjpeg mime types with ext .jpg
  2. //validate only image/png mime type file with ext .png
  3. //validate all MIME types for ext .gif
  4. //validate all MIME types for ext .swf
  5. //validate only application/pdf for ext .pdf
  6.  
  7. var $actsAs = array(
  8.   'FileUpload.FileUpload' => array(
  9.     'allowedTypes' => array(
  10.       'jpg' => array('image/jpeg', 'image/pjpeg'),
  11.       'png' => array('image/png'),
  12.       'gif',
  13.       'swf',
  14.       'pdf' => array('application/pdf'),
  15.     )
  16.   )
  17. );

The default types are the same:
  1. 'allowedTypes' => array(
  2.   'jpg' => array('image/jpeg', 'image/pjpeg'),
  3.   'jpeg' => array('image/jpeg', 'image/pjpeg'),
  4.   'gif' => array('image/gif'),
  5.   'png' => array('image/png','image/x-png'),
  6. ),

Included in the newest release is the Migration Guide from 5.0 to 6.0. I encourage you to read over that document as well.

Enjoy the changes,
Nick