At 2:32 PM -0400 6/20/07, Guillaume Theoret wrote:
Thanks for the link.
I got worried for a second that my code could be exploited so I did a
quick check to make sure that mime-types were correct. (I check the
mime type to make sure it's an image, not the file extension.) I
renamed a .jpg file .jpg.php and uploaded it and got application/x-php
as a mime type.
Is there a way to fake the mime type of what you've uploaded so that
this exploit is still possible? Should I be checking both mime types
and file extensions?
From what I've read, yes -- check for both file type and extension.
Don't allow an "image" file to have a php extension and don't believe
that a simple check into mime type will suffice.
If you are worried about evil code being in the image, you could
always resample the image (larger or smaller). Not that I have
personal experience, but I would think that any piece of code that is
resampled is going to have a difficult time running.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php