PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

File upload security

  1. Hi, what security is in place to ensure that a file uploaded via a form (using the File Upload field) is actually the correct file type and not a malicious file hiding behind a different file extension e.g. a lame example, but if I allowed .jpg files to be uploaded and created a simple phpinfo page named info.php.jpg, would this be valid?

    I assume it's not just matched on extension name but there's maybe some kind of checking of the file mime type as well for instance?

    Posted 7 years ago on Wednesday October 19, 2011 | Permalink
  2. I was able to upload a text file, named as info.php.jpg, where I only allowed jpg extensions, but it didn't render as php, which is probably due to the server configuration.

    You're welcome to try uploading various exploits to this form, which will include images in the post, and will be published immediately.

    http://gravity.chrishajer.com/simple-image-upload/

    Posted 7 years ago on Wednesday October 19, 2011 | Permalink
  3. Indeed on my server, when I uploaded info.php.jpg and then used a browser to open it up it came back saying "cannot be displayed because it contains errors". And I can't upload a info.php file because that's not an allowed file type in the upload widget. So that's all fine and dandy, but does not give me a definitive answer.

    I'd prefer an official response on whether there are any checks in place during upload to try and minimise carefully crafted malicious files - after all my tests were pretty rudimentary.

    Posted 7 years ago on Friday October 21, 2011 | Permalink
  4. Gravity Forms uses WordPress functions to check the file type. In forms_model.php the file type is determined like this:

    [php]
     $type = wp_check_filetype($new_file);

    That function is documented here:
    http://codex.wordpress.org/Function_Reference/wp_check_filetype

    Full reference:
    http://core.trac.wordpress.org/browser/tags/3.2.1/wp-includes/functions.php#L2454

    Posted 7 years ago on Friday October 21, 2011 | Permalink
  5. Ah thanks. OK, so what you're saying is it uses the built in file security of the WP core code. That's good enough for me. Many thanks!

    Posted 7 years ago on Tuesday October 25, 2011 | Permalink
  6. Yes. If WordPress gets it right, Gravity Forms gets it right. If you have any more concerns, please feel free to post them. Thank you.

    Posted 7 years ago on Tuesday October 25, 2011 | Permalink

This topic has been resolved and has been closed to new replies.