|
Posted by C. on 11/21/07 12:58
On 15 Nov, 14:52, Mad Hatter <co...@class31.co.uk> wrote:
> Hi folks
>
> I'm a bit confused with an upload script that I've written. I want to be
> able to check the file type of an upload by checking the mime type but I'm
> not getting the results that I thought I should. According to what I've
> read .zip files should return something like 'application/zip' or
> 'application/x-zip-compressed', RAR should return
> 'application/x-rar-compressed' but both return 'application/octet-stream'.
> I'm getting the results that I expected when checking .jpg, .png of .gif
> files.
>
> I'm checking the mime type using $_FILES['userfile']['type']
>
> Anyone throw some light on this for me?
Yes - don't bother. You are making assumptions about how the client is
configured which will probably lead to vulnerabilities in your code
(unless you control all the clients - in which case its simply a
matter of setting the file extension to mime type mapping correctly).
While on most proper systems the 'file' command is available to find
the type of a file, its advisable to also filter the content through a
type conversion utility (like imagemagick, ffmpeg or wv).
C.
[Back to original message]
|