> On Mon, May 15, 2006 1:58 am, Jason Wong wrote: > > 2) the uploaded file is a "script" (perl/php/python/etc) > > > In the case of (2), if the script relies on its shebang line to > > execute > > Not necessarily -- What if I upload an "image" file named > "badscript.php" and then I surf to it, after it's in your /images > directory?
On my sites, I know aht file extensions that I will allow, so block (by script) anything that doesn't match - in my case, that's '.tif' and '.pdf'. George -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
