gold2040
11-03-2005, 05:30 PM
Hey everyone :)
I stuck a validation script for an upload form so that you can only upload images. It works when you try to upload a file which is not an image but when you upload a image it says
Possible file upload attack! Here's some debugging info:
Array
(
[uploadfile] => Array
(
[name] => abandongame button.gif
[type] => image/gif
[tmp_name] => /tmp/phpGEtdHo
[error] => 0
[size] => 1062
)
)
Here's the code for the upload form
<form enctype="multipart/form-data" action="upload.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1048576" />
<input type=file name=uploadfile>
<input type=button name="Submit" value="Submit" onclick="LimitAttach(this.form, this.form.uploadfile.value)">
</form>
The Upload File
<?php
$uploadDir = '/home/abandonw/public_html/submit/screenshots/boxcovers/';
$uploadFile = $uploadDir . $_FILES['userfile']['name'];
print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadFile))
{
print "The box cover was succesfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES);
}
else
{
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES);
}
print "</pre>";
?>
and here's the actual script from the Javascript Source
<SCRIPT LANGUAGE="JavaScript">
<!-- Original: ArjoGod, Shauna Merritt -->
<!-- Modified By: Ronnie T. Moore, Editor -->
<!-- This script and many more are available free online at -->
<!-- The JavaScript Source!! http://javascript.internet.com -->
<!-- Begin
extArray = new Array(".gif", ".jpg", ".png");
function LimitAttach(form, file) {
allowSubmit = false;
if (!file) return;
while (file.indexOf("\\") != -1)
file = file.slice(file.indexOf("\\") + 1);
ext = file.slice(file.indexOf(".")).toLowerCase();
for (var i = 0; i < extArray.length; i++) {
if (extArray[i] == ext) { allowSubmit = true; break; }
}
if (allowSubmit) form.submit();
else
alert("Please only upload files that end in types: "
+ (extArray.join(" ")) + "\nPlease select a new "
+ "file to upload and submit again.");
}
// End -->
</script>
any help apprechiated
Tom Evans
I stuck a validation script for an upload form so that you can only upload images. It works when you try to upload a file which is not an image but when you upload a image it says
Possible file upload attack! Here's some debugging info:
Array
(
[uploadfile] => Array
(
[name] => abandongame button.gif
[type] => image/gif
[tmp_name] => /tmp/phpGEtdHo
[error] => 0
[size] => 1062
)
)
Here's the code for the upload form
<form enctype="multipart/form-data" action="upload.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1048576" />
<input type=file name=uploadfile>
<input type=button name="Submit" value="Submit" onclick="LimitAttach(this.form, this.form.uploadfile.value)">
</form>
The Upload File
<?php
$uploadDir = '/home/abandonw/public_html/submit/screenshots/boxcovers/';
$uploadFile = $uploadDir . $_FILES['userfile']['name'];
print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadFile))
{
print "The box cover was succesfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES);
}
else
{
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES);
}
print "</pre>";
?>
and here's the actual script from the Javascript Source
<SCRIPT LANGUAGE="JavaScript">
<!-- Original: ArjoGod, Shauna Merritt -->
<!-- Modified By: Ronnie T. Moore, Editor -->
<!-- This script and many more are available free online at -->
<!-- The JavaScript Source!! http://javascript.internet.com -->
<!-- Begin
extArray = new Array(".gif", ".jpg", ".png");
function LimitAttach(form, file) {
allowSubmit = false;
if (!file) return;
while (file.indexOf("\\") != -1)
file = file.slice(file.indexOf("\\") + 1);
ext = file.slice(file.indexOf(".")).toLowerCase();
for (var i = 0; i < extArray.length; i++) {
if (extArray[i] == ext) { allowSubmit = true; break; }
}
if (allowSubmit) form.submit();
else
alert("Please only upload files that end in types: "
+ (extArray.join(" ")) + "\nPlease select a new "
+ "file to upload and submit again.");
}
// End -->
</script>
any help apprechiated
Tom Evans