Hi Armin. Thanks for your reply. I have set upload_max_filesize to 1M in php.ini.
From the php manual -
------------------------------------------------- QUOTE Example 19-1. File Upload Form <FORM ENCTYPE="multipart/form-data" ACTION="_URL_" METHOD="POST"> <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="1000"> Send this file: <INPUT NAME="userfile" TYPE="file"> <INPUT TYPE="submit" VALUE="Send File"> </FORM> The _URL_ should point to a PHP file. The MAX_FILE_SIZE hidden field must precede the file input field and its value is the maximum filesize accepted. The value is in bytes. Warning The MAX_FILE_SIZE is advisory to the browser. It is easy to circumvent this maximum. So don't count on it that the browser obeys you wish! The PHP-settings for maximum-size, however, cannot be fooled. UNQUOTE ------------------------------------------------- As upload_max_filesize cannot be fooled by an attacker, is there any need to set the MAX_FILE_SIZE hidden field in the form? I suppose I could write a function to check MAX_FILE_SIZE is the value I expect it to be. If it has been changed then terminate the php script. My other concerns was with an attacker inserting a virus of any sort into a jpg file. Or just calling a virus something.jpg, and trying to upload that to my server. Probably need to run some sort of virus check on all uploaded jpg files, and delete anything suspicious. Kind Regards - Keith Roberts On Fri, 12 Mar 2004, Armin Schoech wrote:
To: suse-security@suse.com From: Armin Schoech
Subject: Re: [suse-security] HTTP File Uploads Hi,
I'm working on a php script to upload user supplied jpg photos to my server.
What are the security issues involved when allowing users to upload files to my server like this?
--> You should restrict the file size in the HTML form and additionally by checking the limit in the PHP script. Otherwise someone could crash your server by filling up your harddisk until 0 bytes are left.
Cheers, Armin
-- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here