|
|
Posted by Michael Fesser on 07/25/07 10:06
..oO(FFMG)
>Sanders Kaufman;83072 Wrote:
>
>> Just a note about this.
>> I found out a few years ago that you also should strip header
>> information out of GIF images. You can put PHP code in there, and it
>> executed when the gif is displayed.
>
>More the reason why I should prevent the 'image' from executing.
Whether the webserver will "execute" a file primarily depends on the
file extension. A file myImage.gif.php doesn't even have to have any
execution bits set - if the server can read it, PHP can load and
interpret it.
>So what attributes should I set then?
Nothing special. The file just has to be readable for the webserver.
Just keep an eye on the file extension, especially if you allow users to
directly access their uploaded files:
http://example.com/user/myImage.gif.php
Or use a script to deliver the files to the user, so the webserver won't
even try to handle the file it on its own.
Micha
Navigation:
[Reply to this message]
|