this is a little my fault. the example my friend showed me was a
retracing of the example he saw in Pro PHP Security (p284).
Basically, the short of the example is that a valid gif image could
be uploaded with the extension .php and pass a getimagesize because
it would have the necessary bytestream to think that it is a gif but
that arbitrary php code could be appended at the end. To get around
this, you just need to check for a valid file extension (.gif etc...)
and mimetype.
-jonathan
On Jan 22, 2006, at 2:58 AM, Rory Browne wrote:
I'd be a bit skeptical about the possibly of embedding PHP code inside
a GIF file. Could you outline how he performed the task?
On 1/22/06, jonathan <news_php@xxxxxxxxxxxx> wrote:
what is the best way to prevent malicious code from being uploaded
via a .gif file? A friend showed me how php could be embedded within
the .gif file. Does this problem also exist for .jpeg's?
thanks,
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php