I’m currently writing an upload class for uploading images. I do extension checks to verify that the uploaded images are of the supported types, and the photos are always chmod(0664) when the uploaded file is copied to it’s resting place. Is this relatively safe? I don’t know much about image encoding, but even if someone went through the trouble of somehow tricking my extension check, the file could never be ran on the server anyways unless there was a security hole elsewhere and the attackers were already into my file system, correct? Here’s my extension check:

function validate_ext() { //Function validates that the files extension matches the list of allowed extensions
    $extension = $this->get_ext($this->theFile);
    $ext_array = $this->extensions;
    if (in_array($extension, $ext_array)) { //Check if file's ext is in the list of allowed exts
        return true;
        echo "ext found";
    } else {
        $this->error[] = "That file type is not supported. The supported file types are: ".$this->extString;
        return false;
    }
}

And here’s the function that copies the uploaded file to it’s final resting place.

if ($_FILES[$this->uploadName]['error'] === UPLOAD_ERR_OK){
    $newfile = $this->uploadDir.$this->theFile;
    if (!move_uploaded_file($this->tempFile, $newfile)) {
        $this->error[] = "The file could not be moved to the new directory. Check permissions and folder paths.";
        die($this->error_text());   
    }else{
        $this->error[] = "The file ".$this->originalName." was successfully uploaded.";
        if ($this->renameFile == true){
            $this->error[] = $this->originalName." was renamed to ".$this->theFile;
        }
        chmod($newfile , $this->fileperm);
    }
}else{
    $this->error[] = $this->file_upload_error_message($_FILES[$this->uploadName]['error']);
    die($this->error_text());
}