On 15 August 2010 06:14, Paul M Foster <pa...@quillandmouse.com> wrote:
> On Sat, Aug 14, 2010 at 10:36:07PM +0200, Sebastian Ewert wrote:
>> Hi,
>> before I allow to upload images I read them and check for several html
>> tags. If they exist I don't allow the upload. Is their any need to check
>> pdf files, too? At the time I'm doing this, but the result is that many
>> files are denied because of unallowed html tags.
> If I'm not mistaken, more recent versions of the PDF spec allow for
> embedded javascript. If so, it might be worthwhile to check for
> javascript in PDFs. (Whoever first thought of embedding *code* in
> documents should be shot.)

I personally wouldn't bother: it is the responsibility of Adobe Reader
or whichever pdf reader a user is using, to make sure that nothing
evil comes of viewing a pdf. There's very little chance you'll be able
to properly check pdfs serverside for the various security exploits
they may contain - the pdf reader would/should be much better equipped
to do this (the fact that Adobe has failed miserably at it so far is
another thing).

Sebastian, I personally think the best check for validity is, taking
images as an example, opening the image using Imagick or something
like it. After opening, verify that the image has valid dimensions and
type: a string of javascript or something like it simply won't
validate as an image. I've typically used
http://dk2.php.net/manual/en/function.getimagesize.php for this
myself, as there isn't a lot of overhead with that function - I don't
know if Imagick would be faster though, you'd have to check.


WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to