Powerpoint uploads and MIME types

On Sat, 3 May 2008 20:15:31 -0400, "Murray *ACE*"
<forums@HAHAgreat-web-sights.com> wrote:

>I am building an application to upload PPT files. I want to test the
>incoming filenames to see if it *is* a PPT file, but cannot find a MIME type
>for it. How should I do this so that I only allow such files to be
>uploaded?

Both .ppt and .pps should use a mime type of
application/vnd.ms-powerpoint.

However, the mime type that you get in the $_FILES array is what is
sent by the browser and that's not something you can control. I'd test
the file name extension directly instead. Something like this should
do it:

// assume the filename being tested is $filename:

if(preg_match('/.ppt|.pps/i',strrchr($filename,'.'))) {
// it's powerpoint
} else {
// it's not
}

Gary

You'd check the filename instead of the mime type? I thought about doing it
that way before posting, but decided it was too simple a solution, and
probably too insecure.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Gary White" <reply@newsgroup.please> wrote in message
news:i74r14lgm6na19m9kv9e1qnntg0mp8ud81@4ax.com...
> On Sat, 3 May 2008 20:15:31 -0400, "Murray *ACE*"
> <forums@HAHAgreat-web-sights.com> wrote:
>
>>I am building an application to upload PPT files. I want to test the
>>incoming filenames to see if it *is* a PPT file, but cannot find a MIME
>>type
>>for it. How should I do this so that I only allow such files to be
>>uploaded?
>
> Both .ppt and .pps should use a mime type of
> application/vnd.ms-powerpoint.
>
> However, the mime type that you get in the $_FILES array is what is
> sent by the browser and that's not something you can control. I'd test
> the file name extension directly instead. Something like this should
> do it:
>
> // assume the filename being tested is $filename:
>
> if(preg_match('/.ppt|.pps/i',strrchr($filename,'.'))) {
> // it's powerpoint
> } else {
> // it's not
> }
>
> Gary

Thanks, Joe! See my reply to Gary's post....

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Joe Makowiec" <makowiec@invalid.invalid> wrote in message
news:Xns9A943DE74C4E5makowiecatnycapdotrE@216.104.212.96...
> On 03 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:
>
>> I am building an application to upload PPT files. I want to test
>> the incoming filenames to see if it *is* a PPT file, but cannot find
>> a MIME type for it. How should I do this so that I only allow such
>> files to be uploaded?
>
> application/vnd.ms-powerpoint ppt
>
> http://www.w3schools.com/media/media_mimeref.asp
>
> I just checked several Powerpoint files - the first 8 bytes are (hex)
> d0 cf 11 e0 a1 b1 1a e1
> in all the files I checked. So you can:
> - upload the file
> - open the file up and examine the first 8 bytes:
> $handle = fopen($filename, "rb");
> $contents = fread($handle, 8);
> if ($contents != $testvalue) { ...
> - for dealing with the binary string, see bin2hex and pack
>
> http://www.php.net/manual/fopen
> http://www.php.net/manual/fread
> http://www.php.net/bin2hex
> http://www.php.net/pack
>
> (This is PHP, right?)
>
> I'd also examine a few more powerpoint files - I think that there are a
> few different types? - to be sure that the signature I list is
> characteristic. And remember that Microsoft completely changed file
> structures for Office 2007, and that .pptx is probably completely
> different to all other previous formats...
>
> http://en.wikipedia.org/wiki/Microsoft_PowerPoint#File_formats
>
> --
> Joe Makowiec
> http://makowiec.net/
> Email: http://makowiec.net/contact.php

OK - here's the skinny:

PPT extension files have a MIME type (PC or Mac) as stated. PPTX extension
files (PC or Mac) have a MIME type as shown in the line in my code below -

if (($_FILES['uploadfile']['type'] == 'application/vnd.ms-powerpoint') ||
($_FILES['uploadfile']['type'] ==
'application/vnd.openxmlformats-officedocument.presentationml.presentation'))
{

This test appears to work as desired. Why would I not want to use it to
filter all but Powerpoint files?

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote in message
news:fvk83t$g1j$1@forums.macromedia.com...
> Thanks, Joe! See my reply to Gary's post....
>
> --
> Murray --- ICQ 71997575
> Adobe Community Expert
> (If you *MUST* email me, don't LAUGH when you do so!)
> ==================
> http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
> http://www.dwfaq.com - DW FAQs, Tutorials & Resources
> ==================
>
>
> "Joe Makowiec" <makowiec@invalid.invalid> wrote in message
> news:Xns9A943DE74C4E5makowiecatnycapdotrE@216.104.212.96...
>> On 03 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:
>>
>>> I am building an application to upload PPT files. I want to test
>>> the incoming filenames to see if it *is* a PPT file, but cannot find
>>> a MIME type for it. How should I do this so that I only allow such
>>> files to be uploaded?
>>
>> application/vnd.ms-powerpoint ppt
>>
>> http://www.w3schools.com/media/media_mimeref.asp
>>
>> I just checked several Powerpoint files - the first 8 bytes are (hex)
>> d0 cf 11 e0 a1 b1 1a e1
>> in all the files I checked. So you can:
>> - upload the file
>> - open the file up and examine the first 8 bytes:
>> $handle = fopen($filename, "rb");
>> $contents = fread($handle, 8);
>> if ($contents != $testvalue) { ...
>> - for dealing with the binary string, see bin2hex and pack
>>
>> http://www.php.net/manual/fopen
>> http://www.php.net/manual/fread
>> http://www.php.net/bin2hex
>> http://www.php.net/pack
>>
>> (This is PHP, right?)
>>
>> I'd also examine a few more powerpoint files - I think that there are a
>> few different types? - to be sure that the signature I list is
>> characteristic. And remember that Microsoft completely changed file
>> structures for Office 2007, and that .pptx is probably completely
>> different to all other previous formats...
>>
>> http://en.wikipedia.org/wiki/Microsoft_PowerPoint#File_formats
>>
>> --
>> Joe Makowiec
>> http://makowiec.net/
>> Email: http://makowiec.net/contact.php
>

.oO(Murray *ACE*)

>You'd check the filename instead of the mime type? I thought about doing it
>that way before posting, but decided it was too simple a solution, and
>probably too insecure.

The filename is as insecure as the MIME type. Both are sent by the
browser, both can be faked or not be available at all. If you really
want to makes sure that it's a PPT, you have to sniff the content.

If the site is hosted on a *nix machine and if you're allowed to execute
system commands, one way for doing such sniffing could be to invoke the
*nix command 'file', which returns a lot of informations about a file if
it's in a recognized format. The PHP extension 'Fileinfo' does a similar
thing, but has to be installed by hand from the PECL repository.

Micha

I am on a *nix server. I'll look into the Fileinfo extension....

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Michael Fesser" <netizen@gmx.de> wrote in message
news:nhfr14p7hnj3h3bke4ldc31gsnt0uk9995@4ax.com...
> .oO(Murray *ACE*)
>
>>You'd check the filename instead of the mime type? I thought about doing
>>it
>>that way before posting, but decided it was too simple a solution, and
>>probably too insecure.
>
> The filename is as insecure as the MIME type. Both are sent by the
> browser, both can be faked or not be available at all. If you really
> want to makes sure that it's a PPT, you have to sniff the content.
>
> If the site is hosted on a *nix machine and if you're allowed to execute
> system commands, one way for doing such sniffing could be to invoke the
> *nix command 'file', which returns a lot of informations about a file if
> it's in a recognized format. The PHP extension 'Fileinfo' does a similar
> thing, but has to be installed by hand from the PECL repository.
>
> Micha

On Sun, 4 May 2008 07:53:04 -0400, "Murray *ACE*"
<forums@HAHAgreat-web-sights.com> wrote:

>You'd check the filename instead of the mime type? I thought about doing it
>that way before posting, but decided it was too simple a solution, and
>probably too insecure.

The mime type is only whatever the browser sends. While checking the
file content is the most secure, I find checking the extension to be
adequate for my needs. Even if someone upload something other than a
PowerPoint file, an attempt to open the file result in PowerPoint
throwing an error saying it's not a valid PowerPoint file.

Gary

Yeah - thanks, I think I will do that.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Gary White" <reply@newsgroup.please> wrote in message
news:hthr14he8sas1598ja6r32mnmhce1gap3p@4ax.com...
> On Sun, 4 May 2008 07:53:04 -0400, "Murray *ACE*"
> <forums@HAHAgreat-web-sights.com> wrote:
>
>>You'd check the filename instead of the mime type? I thought about doing
>>it
>>that way before posting, but decided it was too simple a solution, and
>>probably too insecure.
>
> The mime type is only whatever the browser sends. While checking the
> file content is the most secure, I find checking the extension to be
> adequate for my needs. Even if someone upload something other than a
> PowerPoint file, an attempt to open the file result in PowerPoint
> throwing an error saying it's not a valid PowerPoint file.
>
> Gary

Combined with the preg comparison you gave me, it's perfect. Thanks, Gary.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote in message
news:fvkmtj$rj$1@forums.macromedia.com...
> Yeah - thanks, I think I will do that.
>
> --
> Murray --- ICQ 71997575
> Adobe Community Expert
> (If you *MUST* email me, don't LAUGH when you do so!)
> ==================
> http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
> http://www.dwfaq.com - DW FAQs, Tutorials & Resources
> ==================
>
>
> "Gary White" <reply@newsgroup.please> wrote in message
> news:hthr14he8sas1598ja6r32mnmhce1gap3p@4ax.com...
>> On Sun, 4 May 2008 07:53:04 -0400, "Murray *ACE*"
>> <forums@HAHAgreat-web-sights.com> wrote:
>>
>>>You'd check the filename instead of the mime type? I thought about doing
>>>it
>>>that way before posting, but decided it was too simple a solution, and
>>>probably too insecure.
>>
>> The mime type is only whatever the browser sends. While checking the
>> file content is the most secure, I find checking the extension to be
>> adequate for my needs. Even if someone upload something other than a
>> PowerPoint file, an attempt to open the file result in PowerPoint
>> throwing an error saying it's not a valid PowerPoint file.
>>
>> Gary
>

On Sun, 4 May 2008 12:31:01 -0400, "Murray *ACE*"
<forums@HAHAgreat-web-sights.com> wrote:

>Combined with the preg comparison you gave me, it's perfect. Thanks, Gary.

You're welcome, Murr.

Gary