Reply to Re: [PHP] filtering uploaded files

Your name:

Reply:


Posted by Angelo Zanetti on 12/23/51 11:12

hi Richard this sounds like quite a serious subject but is there no
other way to check the validity of the file and type without using the
unix command?

IE using PHP and not depending on system commands? thanks for your
insight so far, very important.

Richard Lynch wrote:

>>//The mime type of the file, if the browser provided this information.
>>$userfile_type=$_FILES['userfile']['type'];
>>
>>
>
>Nooooooooooooooo!
>
>First of all, the browsers do *NOT* provide any kind of standardized MIME
>types.
>
>One will call it text/x-csv, the other text/csv, the other text/plain, ...
>
>Furthermore, you should *NOT* rely on this data coming from the browser.
>
>Any body with HALF A CLUE can forge a POST with *any* kind of type they
>want, shoving a trojan shell script into your script with a type of
>plain/x-csv
>
>Now you're probably not gonna be silly enough to just go and exec() that
>script, but what if they manage to find *another* user on your server who
>does just that?
>
>Whammo! You no longer own your server, they do.
>
>Assume the file you are getting is hostile.
>
>Use the Unix "file" command to analyze it.
>
>Then use your own script to analyze it, and be sure it contains suitable
>data.
>
>
>

--

Angelo Zanetti
Z Logic
[c] +27 72 441 3355
[t] +27 21 464 1363
[f] +27 21 464 1371
www.zlogic.co.za

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация