File type validation. Is it possible with file upload

[pundip]

Is it possible to verify the file type being uploaded via file upload. For example if I take an .exe and change the extension to doc I will be able to upload the file. I am looking for some type of validation that will check to make sure that the extension matches the file type.

 

[cheesegrits]

As long as you don't set "Disable Safety Check" to "Yes" on the element, we let J! run the standard file checks on it - the input filter's isSafeFile() which checks for stuff like PHP tags, makes sure it's an image if it uses an image extension, and a few other things.

There isn't really any way to check for doc vs executable, as there's no reliable way across architectures to definitively tell the difference from PHP, they are both just binary files which have no real consistent identifying characteristics. But as long as your umask is correct on the server, so you aren't setting newly created files as executable (it would be extremely weird if this was happening) that shouldn't be an issue. They might be able to upload an exe disguised as a doc, but the server would never allow it to be executed.

So I guess the bottom line is that Fabrik's uploading is no more or less safe than any other uploading in Joomla.

-- hugh

 

[pundip]

Thanks. That makes sense. In my implementation the files are being written to an S3 bucket so am I guessing that gives me a little extra protection.