|
|
Posted by Dave on 07/11/05 04:12
Mladen Gogala (gogala@sbcglobal.net) decided we needed to hear...
> On Sun, 10 Jul 2005 01:06:03 -0400, Dave wrote:
>
> > Thats not good advice. Using the file extension to guess what a file
> > contains is a Bad Idea(tm) and easy to get around.
> >
> > mime_content_type() or PECL fileinfo() should be used if they are
> > available, as they actually check portions of the file content to
> > determine filetype... if hosting is on Windoze I'm unsure if those
> > functions are available, but if not then other file-magic checkers are
> > probably available.
>
> If you are concerned about safety, that's not safe either as the first
> byte can be rigged to reflect whatever you have in the /etc/mime-magic. I
Thats not strictly true. e.g. An msdos executable has the chars MZ in
the first 2 bytes of the file - Change MZ to (say) ID3 to make it look
like an MP3 file and it no longer works as an executable (at least for
the couple tests I just did using a hex editor and a copy of ARJ.EXE)
Testing actual file content (even though its not perfect either) is
always preferable to checking the file extension.
> assume that not everybody is allowed to upload files freely and that she
> takes care what is being done with the uploaded files. If she doesn't
> attempt to execute those files and if she takes care that they don't have
> execute permission, she's safe. Uploading files to somebody's computer is
> a privilege, which has to be earned. If you trust someone to put stuff
> onto your disk, you can also trust that what he says is an MP3 file is
Agreed - in general ;)
> actually an MP3 file. Of course, if you attempt to execute a file with
> MP3 extension and change its execute permission in order to do that, you
> deserve whatever may befall you. I know about the mime_content_type
> function, but it returns a disgusting MIME string. Extension handling
A mime type string is super-easy to parse and describes very well what
the file (should) contains - what more could you want?
> with a "switch" simplifies the code and doesn't need additional parsing
> of "application/png-image" type strings. I haven't checked PECL fileinfo
> yet, but I will certainly do that. Thanks for the tip.
You're welcome.
>
>
--
Dave <dave@REMOVEbundook.com>
(Remove REMOVE for email address)
Navigation:
[Reply to this message]
|