https://legacy.forums.gravityhelp.com/topic/file-upload-security-1 Gravity Support Forums Topic: File upload security en-US Mon, 20 Apr 2026 08:26:05 +0000 http://bbpress.org/?v=1.0.1 q https://legacy.forums.gravityhelp.com/search.php https://legacy.forums.gravityhelp.com/topic/file-upload-security-1#post-38867 Tue, 25 Oct 2011 09:31:32 +0000 Chris Hajer 38867@https://legacy.forums.gravityhelp.com/ <p>Yes. If WordPress gets it right, Gravity Forms gets it right. If you have any more concerns, please feel free to post them. Thank you. </p> https://legacy.forums.gravityhelp.com/topic/file-upload-security-1#post-38849 Tue, 25 Oct 2011 05:40:23 +0000 rnfsolutions 38849@https://legacy.forums.gravityhelp.com/ <p>Ah thanks. OK, so what you're saying is it uses the built in file security of the WP core code. That's good enough for me. Many thanks! </p> https://legacy.forums.gravityhelp.com/topic/file-upload-security-1#post-38547 Fri, 21 Oct 2011 12:20:30 +0000 Chris Hajer 38547@https://legacy.forums.gravityhelp.com/ <p>Gravity Forms uses WordPress functions to check the file type. In forms_model.php the file type is determined like this:</p> <pre><code>[php] $type = wp_check_filetype($new_file);</code></pre> <p>That function is documented here:<br /> <a href="http://codex.wordpress.org/Function_Reference/wp_check_filetype" rel="nofollow">http://codex.wordpress.org/Function_Reference/wp_check_filetype</a></p> <p>Full reference:<br /> <a href="http://core.trac.wordpress.org/browser/tags/3.2.1/wp-includes/functions.php#L2454" rel="nofollow">http://core.trac.wordpress.org/browser/tags/3.2.1/wp-includes/functions.php#L2454</a> </p> https://legacy.forums.gravityhelp.com/topic/file-upload-security-1#post-38516 Fri, 21 Oct 2011 09:09:29 +0000 rnfsolutions 38516@https://legacy.forums.gravityhelp.com/ <p>Indeed on my server, when I uploaded info.php.jpg and then used a browser to open it up it came back saying "cannot be displayed because it contains errors". And I can't upload a info.php file because that's not an allowed file type in the upload widget. So that's all fine and dandy, but does not give me a definitive answer. </p> <p>I'd prefer an official response on whether there are any checks in place during upload to try and minimise carefully crafted malicious files - after all my tests were pretty rudimentary. </p> https://legacy.forums.gravityhelp.com/topic/file-upload-security-1#post-38288 Wed, 19 Oct 2011 11:20:38 +0000 Chris Hajer 38288@https://legacy.forums.gravityhelp.com/ <p>I was able to upload a text file, named as info.php.jpg, where I only allowed jpg extensions, but it didn't render as php, which is probably due to the server configuration.</p> <p>You're welcome to try uploading various exploits to this form, which will include images in the post, and will be published immediately.</p> <p><a href="http://gravity.chrishajer.com/simple-image-upload/" rel="nofollow">http://gravity.chrishajer.com/simple-image-upload/</a> </p> https://legacy.forums.gravityhelp.com/topic/file-upload-security-1#post-38265 Wed, 19 Oct 2011 05:07:38 +0000 rnfsolutions 38265@https://legacy.forums.gravityhelp.com/ <p>Hi, what security is in place to ensure that a file uploaded via a form (using the File Upload field) is actually the correct file type and not a malicious file hiding behind a different file extension e.g. a lame example, but if I allowed .jpg files to be uploaded and created a simple phpinfo page named info.php.jpg, would this be valid?</p> <p>I assume it's not just matched on extension name but there's maybe some kind of checking of the file mime type as well for instance? </p>