> There are times when one needs to parse a file that ends in .jpg (or > .jpeg) as PHP. > > Specifically, broken browsers (various versions of IE) that ignore > Content-type: headers and use the URL to determine the MIME type will not > correctly display a URL such as: > > http://l-i-e.com/gd_example.php > > Said browser will, however, correctly handle: > http://l-i-e.com/gd_example.jpg
You sure about that? AFAIK so long as the filename ends on .jpg as shown by the browser, then you're okay. Provided you use PATH_INFO, then, you can use http://example.com/make_image.php/dummy.jpg > > Note that both images are dynamic and, in fact, the two source files are > Linux symbolic (hard) links, as is this PHP source code: > http://l-i-e.com/gd_example.phps > > The real problem in the describe scenario is that somebody was foolish > enough to take an image supplied by the untrusted USER and then feed it to > PHP to be executed. > > Well, duh. > > Don't do that. > > :-) > > You could do the exact same thing in Perl, C, or maybe even ASP. > [You'd really have to work at it in ASP, though, since ASP is broken.] > > > Needless to say this discussion quickly caught my attention and I > > began to defend PHP explaining how the unsafe functions could be > > disabled via the php.ini and so forth. But then I began to wonder.. > > surely if an exploit were possible the PHP folks would have been > > informed and the source would have been patched by now, right? > > If an exploit is possible, but has nothing to do with PHP specifically, > and has everything to do with a bad programmer, bad admin, or just plain > user stupidity (PHP user, not end user) then why would the PHP Development > Team change PHP? > > > I guess my question is.. is PHP's file upload functionality really > > safe? I myself have a lot at stake if it's not. > > Is your car really safe? I have a lot at stake if it's not. Should we > outlaw cars because some people drive drunk? > > > I don't know much about writing exploits, I just try to keep up to > > date on security patches and bulletins and all. But these security > > guys really seem to think PHP is insecure as far as file uploading, so > > now I'm wondering about it all. > > The best way to learn more about security, other than poring over security > lists with way too much information, plus lots and lots of misinformation > from well-meaning people, is to role-play yourself as the bad guy and ask > yourself: "If I was mean, how would I mess with this to break this guy's > site?" > > I'm no security expert, but it amazes me the stupidity of some coding I > see. It's not *that* tricky to put yourself in the bad guy's shoes. > > -- > Like Music? > http://l-i-e.com/artists.htm > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
