Posted by Michael Fesser on 10/15/07 18:54

..oO(Umberto Salsi)

>Remarks: always save the MIME type as provided by the client, never rely on
>the "extension"

IMHO this might expose new security holes. The MIME type sent from the
client (if it is there at all!) is as unreliable as the file extension,
anything can be faked. If someone uploads some malicious content (maybe
an IE exploit) for example as 'image/jpeg' with a .jpg extension and
your script delivers this file in the same way - well, we all know how
IE deals with file extensions and content type headers ...

>, there are much more MIME types than available three-letters
>readable codes.

There are also libraries available to test/sniff MIME types.

Micha

• Next in forum: Re: Can I import RSS feed into MySQL db?
• Prev in forum: Re: Coding style and search engine spiders
• Thread view: Re: OT: security

[Reply to this message]