Re: uploads

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, April 29, 2007 4:35 pm, jekillen wrote:
> can someone point me to a system for cleaning
> uploaded files; embedded php scripts in image
> files, viruses etc, shell escape chars, anything
> that would be hazardous?
> The idea is when a file is uploaded, as soon
> as it gets to the server it is inspected, cleaned/rejected
> before it is used or sent anywhere else on the server.
> I am using php to upload anything that would be sent
> in an e-mail attachment. Once the files have been
> 'sanitized' they would be made available for display.

What you are asking for is a "blacklist" of all known viruses...

At that point, you'd want to run something huge like clam-av and/or
spamassassin and/or a generic anti-virus software.

For *most* PHP web applications, what you REALLY want is a very very
very limited allowed set of "whitelist" of kinds of files to upload --
like only images and PDFs.

If that's what you actually want, it's better to try to check that the
uploaded files *ARE* images or PDFs, than it is to try to rule out
every possible virus ever invented...

I.e., a security "whitelist" approach is almost always better than a
"blacklist" approach.

Of course, if you are writing a generic email client type application,
then, yes, you have to go with a generic anti-virus tool like clam-av
or whatever.

It almost-for-sure won't actually be in PHP, and you'll probably have
to use http://php.net/exec, and you may even need to re-think the
general architecture so that the inbound email gets put into some kind
of normal mail queue, and then scrubbed, and then passed into some
kind of normal IMAP mailbox, and then PHP reads the IMAP mailbox, with
PHP taking a "hands off" approach to the actual scrubbing.

At least, that's the way *I* would do it.  Errr, am doing it.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux