|
|
Posted by Tyrone Slothrop on 01/31/07 14:40
On Wed, 31 Jan 2007 00:31:40 -0000, gordonb.a68sj@burditt.org (Gordon
Burditt) wrote:
>>I have created a script which attaches form uploaded files to an
>>email. What security is suggested to prevent attachments which may
>>contain viruses, etc. from being uploaded?
>
>If the uploaded file is coming from an untrusted source, don't trust
>it. It's probably SPAM. The worst stuff is just straight text
>files that contain stuff that infects human minds (like MAKE MONEY
>FAST chain letters).
>
>>I am running finfo_file()
>>to determine the mime-types of the files being uploaded, so it should
>>easy to exclude certain types of files based on this, or the file's
>>extension.
>
>Not nearly enough. MIME types and file names can be arbitrarly set to
>misrepresent the contents.
While I may agree with you, my client wants an upload so that is what
she gets. I may have to send the mails via SMTP so they run through a
Brightmail service and then Spam Assassin instead of going directly to
her mailbox. I was just hoping for something a bit simpler.
[Back to original message]
|