On google app engine, how do i stop users uploading malicious files renamed to something friendly?

Question

I am working on an app where users can upload images and iv'e been setting it up on Google App Engine which i think is fantastic so far. But I'm having trouble figuring our the best way to validate a users upload as a proper image, I cant see anything in their documentation about it and the search results on Google are very few and far between so i'm wondering if i am headed down the wrong path with this.

Basically I don't want to store files that aren't images (cost and consistency reasons mainly as well as protecting my users) so I need a valid way to determine that, I was thinking of using the cloud storage tools API to get the content type but i'm wondering if that is just going to be based off the file extension, because the file type that the GCS upload url gave me back was a 'image/jpeg' when i renamed a .exe to a .js

I really feel like i'm missing something here, has anyone else come across this issue on Google app engine yet?

Answer 1

The GD extension is available, so you could call getimagesize on the file.

If it gives you a valid size then assume it's an image, otherwise it is not.

Answer 2

To determine the file type, you will need a mechanism to inspect the first few bytes of the file that will typically contain the magic number. The magic number is a way to determine the file type. Take a look at various magic numbers for popular file extensions : http://billatnapier.wordpress.com/2013/04/22/magic-numbers-in-files/

Answer 3

Similar question with solution:

• For python: How to check type of files without extensions in python?
• For PHP (see two last post): Best way to recognize a filetype in php

Answer 4

Use exif_imagetype. Based on the docs, Its faster than getimagesize.