Hi, what security is in place to ensure that a file uploaded via a form (using the File Upload field) is actually the correct file type and not a malicious file hiding behind a different file extension e.g. a lame example, but if I allowed .jpg files to be uploaded and created a simple phpinfo page named info.php.jpg, would this be valid?
I assume it's not just matched on extension name but there's maybe some kind of checking of the file mime type as well for instance?
I was able to upload a text file, named as info.php.jpg, where I only allowed jpg extensions, but it didn't render as php, which is probably due to the server configuration.
You're welcome to try uploading various exploits to this form, which will include images in the post, and will be published immediately.
Indeed on my server, when I uploaded info.php.jpg and then used a browser to open it up it came back saying "cannot be displayed because it contains errors". And I can't upload a info.php file because that's not an allowed file type in the upload widget. So that's all fine and dandy, but does not give me a definitive answer.
I'd prefer an official response on whether there are any checks in place during upload to try and minimise carefully crafted malicious files - after all my tests were pretty rudimentary.
Gravity Forms uses WordPress functions to check the file type. In forms_model.php the file type is determined like this:
[php]
$type = wp_check_filetype($new_file);That function is documented here:
http://codex.wordpress.org/Function_Reference/wp_check_filetype
Full reference:
http://core.trac.wordpress.org/browser/tags/3.2.1/wp-includes/functions.php#L2454
Ah thanks. OK, so what you're saying is it uses the built in file security of the WP core code. That's good enough for me. Many thanks!
Yes. If WordPress gets it right, Gravity Forms gets it right. If you have any more concerns, please feel free to post them. Thank you.