ID: 48344 Updated by: j...@php.net Reported By: danymoussa at gmail dot com -Status: Open +Status: Bogus Bug Type: *General Issues Operating System: Centos 5 PHP Version: 5.2.9 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. Previous Comments: ------------------------------------------------------------------------ [2009-05-20 11:45:35] carsten_sttgt at gmx dot de I guess a bug tracker is the wrong place for such questions. e.g. the user mailing list a better place. (hint: mimetype functions) Regards, Carsten ------------------------------------------------------------------------ [2009-05-20 11:37:48] danymoussa at gmail dot com Thank you, how can i insure no one is uploading shell files to my website? i mean what's the best way to secure it? ------------------------------------------------------------------------ [2009-05-20 11:33:43] carsten_sttgt at gmx dot de The Content-Type is set by your browser (or what ever UA you are using for the POST request). That's the reason for: Don't trust the "type" in $_FILES. (An UA can set this to every value it want.) In addition: If no Content-Type is set by the UA, the default is "application/octet-stream". Regards, Carsten ------------------------------------------------------------------------ [2009-05-20 11:24:49] danymoussa at gmail dot com Submission error, flip actual result with expected result ------------------------------------------------------------------------ [2009-05-20 11:20:19] danymoussa at gmail dot com Description: ------------ This is a very serious problem that i never faced in php earlier version. However i tried to hack into my jpg-upload-image script and was able to do that by inserting a renamed shell script: pic1.php.jpg Reproduce code: --------------- <form action="upload.php" method="post" enctype="multipart/form-data"> <input type="file" name="file"> <input type="submit" value="Upload"> </form> print_r($_FILES); Expected result: ---------------- [file] => Array ( [name] => pic.php.jpg [type] => image/jpeg [tmp_name] => /tmp/php96MEPH [error] => 0 [size] => 23052 ) Actual result: -------------- [file] => Array ( [name] => pic.php.jpg [type] => application/octet-stream [tmp_name] => /tmp/php96MEPH [error] => 0 [size] => 23052 ) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48344&edit=1
