Ashley Sheridan am Dienstag, 24. September 2013 - 18:22:

> In an earlier email I detailed some methods for validating other types, such
as DomDocument for HTML, XML, svg, etc, or fpdf for PDF. 
Fine, gratulations!

> And on behalf images: GD you are using handles only
> >jpeg, gif and png. There are about hunderd other image types on the
> >way,
> At the moment those are the 3 raster formats you can use on the web, so those
are the ones that pose an issue. If you're using anything else, it's not for web
and doesn't need to be in a publicly accessible location. 
Why that???!!! Why should users only upload files, that are used "for web", and
what does this mean, "for web"? Users may store personal files on your host,
because they use your website as a "cloud", as it is said today. Not "for web",
but for personal use on everey computer connected to the internet! That is
absolutly legitime and the ONLY reason to offer file uploading I can imagine! I
allow it only for authenticated, subscribed users. 

Nevertheless those trusted users may upload (unintenionally!) infected files.
And again: No virus was ever written "for web", but to harm computersystems,
clients and servers. They are just distributed via web.
Whould be great we could block them, and I appreciate your efforts to do this.
But sorry, your script shows me, that this cannot be done this way! Perhaps, if
you are right and GD processing really is harmless (I'm in doubt), we have a
clean jpeg (or gif or png). And then? What's about the rest?

Keep in mind, that PHP is a scripting framework to create websites, certainly
not a tool for virus detection! And we have a big problem with the Apache web
server, not because Apache serves possibly infected files, but because all kind
of files are NOT served, but passed to the script interpreter! That's awfull
enough, and opens a new exploit!

> The hacker says: Hi,
> >this is a nice picture, play it, and then, please do this--follows his
> >code, that can be a desaster for the whole system.
> Social engineering is a whole different issue.
yes, what I tried to describe is criminal.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to