|
Posted by A. S. Milnes on 03/30/05 01:04
On Tue, 2005-03-29 at 22:23, Richard Lynch wrote:
> > //The mime type of the file, if the browser provided this information.
> > $userfile_type=$_FILES['userfile']['type'];
>
> Nooooooooooooooo!
Hmm - some very senior people disagree with you!
> First of all, the browsers do *NOT* provide any kind of standardized MIME
> types.
>
> One will call it text/x-csv, the other text/csv, the other text/plain, ...
Interesting.
> Now you're probably not gonna be silly enough to just go and exec() that
> script,
No - of course not - you never trust anything coming from outside - the
above script is a first pass, no more than that.
> but what if they manage to find *another* user on your server who
> does just that?
I don't understand what you mean here - I can't control what scripts
other people write and I can't afford a dedicated server.
> Assume the file you are getting is hostile.
Absolutely.
> Use the Unix "file" command to analyze it.
I come from a Windows background so I've never heard of this command and
it's not featured in any of the (many) PHP books I have read. Probably
becasue it's platform specific.
> Then use your own script to analyze it, and be sure it contains suitable
> data.
Absolutely.
Alan
[Back to original message]
|