On Sun, April 22, 2007 12:14 pm, Tijnema ! wrote: > Yeah right, a time bomb with an image header :P > It should have an ELF header :) But then it would be detected by the > mime_content_type i guess. mime_content_type would not detect, say, a PHP script embedded into the comments section of a JPEG (or GIF or PNG) and it's not unreasonable to think that maybe that's "bad" to allow on the server, in some circumstances, depending on all your other security processes. Security is not a simple off/on switch, nor even a "do this and you'll be safe" type of thing. It's an ongoing effort from end to end of the entire process to really think about what *COULD* be exploited, and how to prevent that, ideally with at least two independent checks/blocks, in case one of the checks doesn't do what you think it does, or gets bypassed, or some idiot rips it out one day, not remembering why it's there, or it gets "lost" in a server move, or... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
