Double extension will bypass extension check rules

Question

It is said in many article about securing file upload that it is better to prepare a white list of extension instead of a blacklist. But it seems this method has some problem with double extension files. For example I have a whitelist like 'pdf','doc','docx' but this white list return true for apple.php.doc or apple.doc.php .

How can I write a secure extension check function?

Answer 1

you should try to understand the reasons for this, your question doesn't make any sense.

the reason you shouldn't allow any particular extension is that some webservers (like Apache) determine the way the files are server based on them, of course that only applies to files within the directories they're serving publicly but most of the time the uploaded files go there so what happens when you allow an extension that the server will execute like .php is that it allows random people on the web to inject code on your site.

that doesn't happen for .php.doc because the extension is still .doc and the server will treat it like that.

it's worth mentioning that one can configure the webserver to not execute certain files within a directory but it's not the default and few people actually do so.

Answer 2

Use this code to check if extension is good:

$valid_exts = array('doc', 'pdf');
if (in_array(pathinfo($filename, PATHINFO_EXTENSION), $valid_exts)) {
     // everything is fine
} else {
     // not fine
}