On Mon, 2013-09-23 at 20:36 +0200, Domain nikha.org wrote:

> Stuart Dallas am Montag, 23. September 2013 - 12:58:
> > And, honestly, who would have a PHP file per language? I think it's
> perfectly reasonable to not allow that, because duplicating PHP code
> across many files is an incredible stupid way to support multiple
> languages.
> > 
> I agree!! Didn't even know, that this kind of faked language support
> exists...
> > "Some people run all their files through PHP" - true, but that doesn't
> mean they should, or that you, as a responsible web host, should be
> endorsing it.
> > 
> > PHP developers should absolutely validate all content coming in from
> users in every possible way, but I would be highly dubious about
> trusting a host who gives the reason above for what I consider a lax and
> insecure Apache configuration. It's like saying they sliced your arm off
> with their chainsaw because it's made for cutting things, attempting to
> dodge all responsibility for having swung it in your direction!
> > 
> OK, in principle, I also agree. But this case is very easy to handle.
> I'm simply running "str_replace()" against dangerous parts of uploaded
> filenames, ".php" for instance. After that, Apache in every
> configuration will just serve, and never execute user uploaded files.
> Remains the risk on the clients side, I must concede. Better solutions?
> Nice days,
> Niklaus   

No, no, no! That is not a good stand-in for fundamental security

This is a better method for ensuring an image is really an image:

        list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
        if($width && $height)
                $source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
                $dest = imagecreatetruecolor($width, $height);
                imagecopyresampled($dest, $source,
                                                0, 0, 0, 0,
                                                $width, $height, $width, 
                imagejpeg($dest, basename($_FILES['file']['tmp_name']));
                echo "{$_FILES['file']['name']} is not a jpeg";
<form enctype="multipart/form-data" method="post">
        <input type="file" name="file"/>
        <input type="submit" name="submit" value="submit"/>

Obviously it's only rough, and checks only for jpeg images, but that's
easy to alter. I've just tested this with a regular jpeg, the same jpeg
with PHP code concatenated onto the end (which still appears to be a
valid image to viewing/editing software) and a pure PHP file with a .jpg
extension. In the case of the first 2, a new jpeg is generated with the
same image and without the code. The third example just echoes out an


Reply via email to