1.2.1305. Upload Filename Injection¶
When receiving a file via Upload, it is recommended to store it under a self-generated name. Any storage that uses the original filename, or even a part of it may be vulnerable to injections.
It is highly recommended to validate any incoming file, generate a name for it, and store the result in a folder outside the web folder. Also, avoid accepting PHP scripts, if possible.
<?php
// Security error ! the $_FILES['upload']['filename'] is provided by the sender.
// 'a.<script>alert(\'a\')</script>'; may lead to a HTML injection.
$extension = substr( strrchr($_FILES['upload']['name'], '.') ,1);
if (!in_array($extension, array('gif', 'jpeg', 'jpg')) {
// process error
continue;
}
// Md5 provides a name without special characters
$name = md5($_FILES['upload']['filename']);
if(@move_uploaded_file($_FILES['upload']['tmp_name'], '/var/no-www/upload/'.$name.'.'.$extension)) {
safeStoring($name.'.'.$extension, $_FILES['upload']['filename']);
}
// Security error ! the $_FILES['upload']['filename'] is provided by the sender.
if(@move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['filename'])) {
safeStoring($_FILES['upload']['filename']);
}
// Security error ! the $_FILES['upload']['filename'] is provided by the sender.
// 'a.<script>alert('a')</script>'; may lead to a HTML injection.
$extension = substr( strrchr($_FILES['upload']['name'], '.') ,1);
$name = md5($_FILES['upload']['filename']);
if(@move_uploaded_file($_FILES['upload']['tmp_name'], $name.'.'.$extension)) {
safeStoring($name.'.'.$extension, $_FILES['upload']['filename']);
}
?>
See also [CVE-2017-6090], CWE-616: Incomplete Identification of Uploaded File Variables and Why File Upload Forms are a Major Security Threat.
1.2.1305.1. Suggestions¶
Validate uploaded filenames
Rename files upon storage, and keep the original name in a database
1.2.1305.2. Specs¶
Short name |
Security/UploadFilenameInjection |
Rulesets |
|
Exakat since |
0.12.14 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Instant (5 mins) |
Precision |
High |
Features |
upload |
Available in |