.. _security-uploadfilenameinjection: .. _upload-filename-injection: Upload Filename Injection +++++++++++++++++++++++++ When receiving a file via Upload, it is recommended to store it under a `self `_-generated name. Any storage that uses the original filename, or even a part of it may be vulnerable to injections. It is highly recommended to validate any incoming file, generate a name for it, and store the `result `_ in a folder outside the web folder. Also, avoid accepting PHP scripts, if possible. .. code-block:: php alert(\'a\')'; may lead to a HTML injection. $extension = substr( strrchr($_FILES['upload']['name'], '.') ,1); if (!in_array($extension, array('gif', 'jpeg', 'jpg')) { // process error continue; } // Md5 provides a name without special characters $name = md5($_FILES['upload']['filename']); if(@move_uploaded_file($_FILES['upload']['tmp_name'], '/var/no-www/upload/'.$name.'.'.$extension)) { safeStoring($name.'.'.$extension, $_FILES['upload']['filename']); } // Security error ! the $_FILES['upload']['filename'] is provided by the sender. if(@move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['filename'])) { safeStoring($_FILES['upload']['filename']); } // Security error ! the $_FILES['upload']['filename'] is provided by the sender. // 'a.'; may lead to a HTML injection. $extension = substr( strrchr($_FILES['upload']['name'], '.') ,1); $name = md5($_FILES['upload']['filename']); if(@move_uploaded_file($_FILES['upload']['tmp_name'], $name.'.'.$extension)) { safeStoring($name.'.'.$extension, $_FILES['upload']['filename']); } ?> See also `[CVE-2017-6090] `_, `CWE-616: Incomplete Identification of Uploaded File Variables `_ and `Why File Upload Forms are a Major Security Threat `_. Connex PHP features ------------------- + `upload `_ Suggestions ___________ * Validate uploaded filenames * Rename files upon storage, and keep the original name in a database Specs _____ +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Short name | Security/UploadFilenameInjection | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Rulesets | :ref:`All `, :ref:`Changed Behavior `, :ref:`Security ` | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Exakat since | 0.12.14 | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | PHP Version | All | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Severity | Major | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Time To Fix | Instant (5 mins) | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Precision | High | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Available in | `Entreprise Edition `_, `Exakat Cloud `_ | +--------------+-------------------------------------------------------------------------------------------------------------------------+