Skip to content

Checking Malicious Uploaded Content in just one line of Bash

September 22, 2010

Today I was in Payamnour University site. They have a registration system this year in which students upload document images for further review.

After I fixed performance issues preventing proper usage in the initial days of registration system (fixing mysql/php/apache/etc) I sat and wrote this small one line bash scripts which checks if all the uploaded files are images in fact.

for a in *; do file "$a" | grep image -i > /dev/null; if [ $? != 0 ]; then echo "*** $a --> Check it! ***"; else echo -n "."; fi; done

Bash is a great tool :)

Advertisements

From → linux

One Comment
  1. Andrew Dalke permalink

    You are still open to malicious data. “touch not_an_image”, “gzip not_an_image”, “file not_an_image.gz”, which reports:

    not_an_image.gz: gzip compressed data, was “not_an_image”, from Unix, last modified: Sun May 29 23:48:58 2011

    I see that an “.xls” file and an “.msi” file also shows user-defined text.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: