Hi Kevin, On Wed, Feb 25, 2015 at 6:08 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Your PHP code is only so secure as you make it. If you are in need for >> such an RFC just to block a few „rare cases“, then I would rather suggest >> you to either check your source or hand it to a professional to get it >> counter-checked. >> >> Besides of that, it is never a good idea to let a user upload >> /everything/ that they want to. A proper MIME-type check can be helpful in >> these scenarios. >> > > MIME-type check cannot help at all as it does not guarantee no embedded > PHP scripts in it. > Even image resize nor removing exif info cannot help. > One more comment for this. Do you know Ruby and Perl could be vulnerable to script inclusion if simple image validation is used and there is script inclusion vulnerable code? I'm not going to write how it could be done, because this is not a security list. Script inclusion can be done via image just like PHP with Ruby and PERL, yet Ruby and PERL does not have vulnerable apps unlike PHP. Why? Because it's much harder to attack with Ruby/PERL. Please read https://wiki.php.net/rfc/script_only_include#do_not_see_how_this_rfc_prevent_script_inclusion_attacks this and if you ever see fatal issue, please let me know. Thank you. -- Yasuo Ohgaki yohg...@ohgaki.net
