Posted by Richard Lynch on 03/30/05 00:23

> //The mime type of the file, if the browser provided this information.
> $userfile_type=$_FILES['userfile']['type'];

Nooooooooooooooo!

First of all, the browsers do *NOT* provide any kind of standardized MIME
types.

One will call it text/x-csv, the other text/csv, the other text/plain, ...

Furthermore, you should *NOT* rely on this data coming from the browser.

Any body with HALF A CLUE can forge a POST with *any* kind of type they
want, shoving a trojan shell script into your script with a type of
plain/x-csv

Now you're probably not gonna be silly enough to just go and exec() that
script, but what if they manage to find *another* user on your server who
does just that?

Whammo! You no longer own your server, they do.

Assume the file you are getting is hostile.

Use the Unix "file" command to analyze it.

Then use your own script to analyze it, and be sure it contains suitable
data.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]