Sunday
20
July
2008

Zend_File_Transfer examples or using validators to increase security

Hy interested ones,

the new Zend_File_Transfer component is growing day for day.
As incredible new feature this component allows to use file validators.

These are necessary to increase security and allow to define rules for file uploads (and also downloads in future). So let’s see some examples to get a feeling:

$upload = new Zend_File_Transfer_Adapter_Http();
$upload->addValidators('Size', '50kB)
          ->setDestination('C:/uploads')
          ->receive();

What we’ve done so far is to limit all sent files to 50kB filesize. Any file which is uploaded and exceeds the size of 50kB will throw an exception we can catch.

The more rules we define the more secure our upload will be.
So which other validators are supported until now:

  • Size: We already know this validator. He checks the filesize of single file. You can set a minimum and a maximum filesize.
  • Count: You should set this validator to represent exactly the amount of files you expect. He has also a mimimum and a maximum filecount. If this validator throws an error you are probably having an attack. But you can also limit the number of files to receive with this validator.
  • Extension: This validator checks for the extension of files. You can set multiple extensions to be checked. But remember that an evil user can manually change the extension so you should not rely only on the extension.
  • FilesSize: This validator also checks for the size of files. But different to the Size validator it checks for the size of ALL files. You could for example define that a single file must not exceed 50kB. But all files in sum must not exceed 200kB.
  • ImageSize: The ImageSize validator checks the size of given files when they are images. You can define a mimimum and a maximum image size for width and height.

So let’s see a full example of validators and a more secure upload:

$upload = new Zend_File_Transfer_Adapter_Http();
$upload->addValidators('Size', '250kB')
          ->addValidators('Count', 5)
          ->addValidators('FilesSize', '1MB')
          ->addValidators('Extension', 'gif, jpg, png')
          ->addValidators('ImageSize', array(10, 10, 1024, 768))
          ->setDestination('C:/uploads');
	
if (!$upload->isValid()) {
    print_r($upload->getMessages());
    die();
}
try {
    $upload->receive();
} catch (Zend_File_Transfer_Exception $e) {
    $e->getMessage();
}

So what we’ve created now is a fileupload for images.
Each imagefile can have 250kB maximum filesize. We allow in sum 5 images but all images im sum are not allowed to exceed 1MB. Additionally we allow gif, jpg and png files and define a imagesize of 10×10 up to 1024×768. All files are uploaded to ‘C:\uploads’.

As you see it’s not complicated to define a more secure upload then just using php’s move_uploaded_file.
Feel free to play around with this example.

If future there will be additional validators like MimeType and FileName.
Also filter will be added which allow you to change uploaded files on the fly before they are stored.
Filters could contain the automatic change of imagesize or changing textfiles to have a proper lineending and much more.

Greetings
Thomas, I18N Team Leader, Zend Framework

Back to top