Uploading files with an apostrophe in the filename

shimmyshack <matt.farey@gmail.com> wrote in
news:1179166417.178718.236160@y80g2000hsf.googlegr oups.com:

>> > Though it would likely be much easier if you were to strip out all
>> > characters except alpha, numeric, and the underscore prior to
>> > storage (file and database entry). Perhaps replace spaces with
>> > underscores.
>>
>> I agree. Here's what I use to "clean" the filenames of all uploaded
>> files:
>>
>> function cleanFile ($filename) { //clean up the file name


> the trouble with this kind of blacklist banning is that it allows
> encoding and otherforms of clever attack.
> better to use a whitelist.

How would you use a 'whitelist' in this case? By only allowing filenames
with alphanumeric characters? If that were the case, that would require
forcing your user to rename their files before upload... time-intensive and
annoying...

On May 14, 7:41 pm, Good Man <h...@letsgo.com> wrote:
> shimmyshack <matt.fa...@gmail.com> wrote innews:1179166417.178718.236160@y80g2000hsf.google groups.com:
>
> >> > Though it would likely be much easier if you were to strip out all
> >> > characters except alpha, numeric, and the underscore prior to
> >> > storage (file and database entry). Perhaps replace spaces with
> >> > underscores.
>
> >> I agree. Here's what I use to "clean" the filenames of all uploaded
> >> files:
>
> >> function cleanFile ($filename) { //clean up the file name
> > the trouble with this kind of blacklist banning is that it allows
> > encoding and otherforms of clever attack.
> > better to use a whitelist.
>
> How would you use a 'whitelist' in this case? By only allowing filenames
> with alphanumeric characters? If that were the case, that would require
> forcing your user to rename their files before upload... time-intensive and
> annoying...

no just use the kind of oneliner specified earlier in this post using
eregi_replace, or preg_replace, no requirement on the user, and you
can allow any utf8 character you think is reasonable without allowing
attacks and without banning characters like comma (,) apostraphe (')
and space ( ) which are all legitimate chars for a filesystem and
should really be allowed if the OS supports them.
Perhaps you can explain this line:
$filename = str_replace("","",$filename);
and then check out sql, command, xss and other injection attacks and
why blacklisting doesnt work, here for example is OWASPs good practise
advice (for sql injection prevention):
"Use vigorous white-list style checking on any user input"
the same goes for any user input.

shimmyshack <matt.farey@gmail.com> wrote in
news:1179168720.073863.12650@y80g2000hsf.googlegro ups.com:


>> >> function cleanFile ($filename) { //clean up the file name
>>
>> > the trouble with this kind of blacklist banning is that it allows
>> > encoding and otherforms of clever attack.
>> > better to use a whitelist.
>>
>> How would you use a 'whitelist' in this case? By only allowing
>> filenames with alphanumeric characters? If that were the case, that
>> would require forcing your user to rename their files before
>> upload... time-intensive and annoying...
>
> no just use the kind of oneliner specified earlier in this post using
> eregi_replace, or preg_replace, no requirement on the user, and you
> can allow any utf8 character you think is reasonable without allowing
> attacks and without banning characters like comma (,) apostraphe (')
> and space ( ) which are all legitimate chars for a filesystem and
> should really be allowed if the OS supports them.

** eregi from earlier post **
$strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
['name']);
**

just to make sure I follow... your eregi function keeps any of your
'allowed' characters in your expression, and replaces everything else
with just a "" (blank), is that correct?


> Perhaps you can explain this line:
> $filename = str_replace("","",$filename);

bad code!


> and then check out sql, command, xss and other injection attacks and
> why blacklisting doesnt work

i actually only use 'blacklisting' for my file uploads. perhaps i will
revisit that issue.

thanks.

On Mon, 14 May 2007 00:25:58 +0200, Alfred Molon put finger to
keyboard and typed:

>In article <1179093340.453709.241100@n59g2000hsh.googlegroups .com>,
>matt.farey@gmail.com says...
>
>> alfred, i use php uploads with single quotes just fine, it copes with
>> a large range of characters including single quotes.
>> you say "the uploads dont work properly" but I am unclear as to what
>> that means, where does the process fail? I just think it's a coding/
>> config issue, the actual upload functionality will remain completely
>> unaffected - if your system is set up properly.
>
>It's a shared host and I can not set the system.
>
>In any case what happens, is that the image will upload and be stored in
>the temporary , but then the PHP code will mess up the filename.
>
>For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
>the apostrophe), the PHP code will automatically convert the filename to
>"Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store a
>file named "Al Azhar\'s mosque Cairo.jpg" in the temporary directory.

You've got magic_quotes_gpc switched on, but the script assumes you
haven't. That's one of the gotchas I was referring to in a different
thread!

There are two solutions to that. The easiest, if you can do it, is to
switch it off either sitewide (using .htaccess) or in the upload
script (using php_ini_set()). If you can't, then you need to pass the
variables through stripslashes() before processing them with your file
handling routine.

Mark
--
Please give me one! http://www.pleasegivemeone.com
"L'amore giunger, l'amore"

On May 14, 8:03 pm, Good Man <h...@letsgo.com> wrote:
> shimmyshack <matt.fa...@gmail.com> wrote innews:1179168720.073863.12650@y80g2000hsf.googleg roups.com:
>
>
>
> >> >> function cleanFile ($filename) { //clean up the file name
>
> >> > the trouble with this kind of blacklist banning is that it allows
> >> > encoding and otherforms of clever attack.
> >> > better to use a whitelist.
>
> >> How would you use a 'whitelist' in this case? By only allowing
> >> filenames with alphanumeric characters? If that were the case, that
> >> would require forcing your user to rename their files before
> >> upload... time-intensive and annoying...
>
> > no just use the kind of oneliner specified earlier in this post using
> > eregi_replace, or preg_replace, no requirement on the user, and you
> > can allow any utf8 character you think is reasonable without allowing
> > attacks and without banning characters like comma (,) apostraphe (')
> > and space ( ) which are all legitimate chars for a filesystem and
> > should really be allowed if the OS supports them.
>
> ** eregi from earlier post **
> $strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
> ['name']);
> **
>
> just to make sure I follow... your eregi function keeps any of your
> 'allowed' characters in your expression, and replaces everything else
> with just a "" (blank), is that correct?
>
> > Perhaps you can explain this line:
> > $filename = str_replace("","",$filename);
>
> bad code!
>
> > and then check out sql, command, xss and other injection attacks and
> > why blacklisting doesnt work
>
> i actually only use 'blacklisting' for my file uploads. perhaps i will
> revisit that issue.
>
> thanks.

yes that eregi just allows the char range, but you can specify others
including accented chars and so on, it does as you say and replaces
any others, so
Go0od man->Goodman
(as spaces arent allowed in the above ereg)
preg_replace is generally preferred by works in a similar way.
You can also make things more user friendly, say a user has to enter a
britsih postcode (which has many rules for its formation) and the user
types
P014 instead of PO14 (zero instead of capital letter O) or doesnt use
a space.
P0145QL
you can write a simple reg exp that filters chars and checks for
comformity to rules, and makes likely replacements (like 0 and O)
where there is no abiguity interpreting the users input, and throw out
the result to the lookup.
I love 'em!

shimmyshack <matt.farey@gmail.com> wrote in
news:1179172003.349086.263840@e51g2000hsg.googlegr oups.com:


>> just to make sure I follow... your eregi function keeps any of your
>> 'allowed' characters in your expression, and replaces everything else
>> with just a "" (blank), is that correct?
>
> yes that eregi just allows the char range, but you can specify others
> including accented chars and so on, it does as you say and replaces
> any others, so
> Go0od man->Goodman
> (as spaces arent allowed in the above ereg)
> preg_replace is generally preferred by works in a similar way.
> You can also make things more user friendly, say a user has to enter a
> britsih postcode (which has many rules for its formation) and the user
> types
> P014 instead of PO14 (zero instead of capital letter O) or doesnt use
> a space.
> P0145QL
> you can write a simple reg exp that filters chars and checks for
> comformity to rules, and makes likely replacements (like 0 and O)
> where there is no abiguity interpreting the users input, and throw out
> the result to the lookup.
> I love 'em!


Thanks for the discussion, that will be my future method for 'cleaning'
filenames and the like.

Best,
GM

In article <8gch43lufh9e3u7cdg1nqnbmoi798svu38@news.markshous e.net>, usenet@listmail.good-stuff.co.uk says...

> There are two solutions to that. The easiest, if you can do it, is to
> switch it off either sitewide (using .htaccess) or in the upload
> script (using php_ini_set()). If you can't, then you need to pass the
> variables through stripslashes() before processing them with your file
> handling routine.

Well, in the end I changed the user interface. Now there is a file
selection window and a separate picture name field. The filename can be
anything (it is just ignored). The picture name text field is processed
with preg_replace to ensure that only the specified characters are in
it.
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe