Re: security of uploaded gif files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



this is a little my fault. the example my friend showed me was a retracing of the example he saw in Pro PHP Security (p284). Basically, the short of the example is that a valid gif image could be uploaded with the extension .php and pass a getimagesize because it would have the necessary bytestream to think that it is a gif but that arbitrary php code could be appended at the end. To get around this, you just need to check for a valid file extension (.gif etc...) and mimetype.

-jonathan


On Jan 22, 2006, at 2:58 AM, Rory Browne wrote:

I'd be a bit skeptical about the possibly of embedding PHP code inside
a GIF file. Could you outline how he performed the task?

On 1/22/06, jonathan <news_php@xxxxxxxxxxxx> wrote:
what is the best way to prevent malicious code from being uploaded
via a .gif file? A friend showed me how php could be embedded within
the .gif file. Does this problem also exist for .jpeg's?

thanks,

jon

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux