Reply to Re: Audio files - *.mp3

Your name:

Reply:


Posted by Dave on 07/11/05 04:12

Mladen Gogala (gogala@sbcglobal.net) decided we needed to hear...
> On Sun, 10 Jul 2005 01:06:03 -0400, Dave wrote:
>
> > Thats not good advice. Using the file extension to guess what a file
> > contains is a Bad Idea(tm) and easy to get around.
> >
> > mime_content_type() or PECL fileinfo() should be used if they are
> > available, as they actually check portions of the file content to
> > determine filetype... if hosting is on Windoze I'm unsure if those
> > functions are available, but if not then other file-magic checkers are
> > probably available.
>
> If you are concerned about safety, that's not safe either as the first
> byte can be rigged to reflect whatever you have in the /etc/mime-magic. I

Thats not strictly true. e.g. An msdos executable has the chars MZ in
the first 2 bytes of the file - Change MZ to (say) ID3 to make it look
like an MP3 file and it no longer works as an executable (at least for
the couple tests I just did using a hex editor and a copy of ARJ.EXE)

Testing actual file content (even though its not perfect either) is
always preferable to checking the file extension.

> assume that not everybody is allowed to upload files freely and that she
> takes care what is being done with the uploaded files. If she doesn't
> attempt to execute those files and if she takes care that they don't have
> execute permission, she's safe. Uploading files to somebody's computer is
> a privilege, which has to be earned. If you trust someone to put stuff
> onto your disk, you can also trust that what he says is an MP3 file is

Agreed - in general ;)

> actually an MP3 file. Of course, if you attempt to execute a file with
> MP3 extension and change its execute permission in order to do that, you
> deserve whatever may befall you. I know about the mime_content_type
> function, but it returns a disgusting MIME string. Extension handling

A mime type string is super-easy to parse and describes very well what
the file (should) contains - what more could you want?

> with a "switch" simplifies the code and doesn't need additional parsing
> of "application/png-image" type strings. I haven't checked PECL fileinfo
> yet, but I will certainly do that. Thanks for the tip.

You're welcome.

>
>

--
Dave <dave@REMOVEbundook.com>
(Remove REMOVE for email address)

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация