Skip to content

Checking Malicious Uploaded Content in just one line of Bash

September 22, 2010

Today I was in Payamnour University site. They have a registration system this year in which students upload document images for further review.

After I fixed performance issues preventing proper usage in the initial days of registration system (fixing mysql/php/apache/etc) I sat and wrote this small one line bash scripts which checks if all the uploaded files are images in fact.

for a in *; do file "$a" | grep image -i > /dev/null; if [ $? != 0 ]; then echo "*** $a --> Check it! ***"; else echo -n "."; fi; done

Bash is a great tool :)

From → linux

One Comment
  1. Andrew Dalke permalink

    You are still open to malicious data. “touch not_an_image”, “gzip not_an_image”, “file not_an_image.gz”, which reports:

    not_an_image.gz: gzip compressed data, was “not_an_image”, from Unix, last modified: Sun May 29 23:48:58 2011

    I see that an “.xls” file and an “.msi” file also shows user-defined text.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: