On Sun, April 29, 2007 4:35 pm, jekillen wrote: > can someone point me to a system for cleaning > uploaded files; embedded php scripts in image > files, viruses etc, shell escape chars, anything > that would be hazardous? > The idea is when a file is uploaded, as soon > as it gets to the server it is inspected, cleaned/rejected > before it is used or sent anywhere else on the server. > I am using php to upload anything that would be sent > in an e-mail attachment. Once the files have been > 'sanitized' they would be made available for display. What you are asking for is a "blacklist" of all known viruses... At that point, you'd want to run something huge like clam-av and/or spamassassin and/or a generic anti-virus software. For *most* PHP web applications, what you REALLY want is a very very very limited allowed set of "whitelist" of kinds of files to upload -- like only images and PDFs. If that's what you actually want, it's better to try to check that the uploaded files *ARE* images or PDFs, than it is to try to rule out every possible virus ever invented... I.e., a security "whitelist" approach is almost always better than a "blacklist" approach. Of course, if you are writing a generic email client type application, then, yes, you have to go with a generic anti-virus tool like clam-av or whatever. It almost-for-sure won't actually be in PHP, and you'll probably have to use http://php.net/exec, and you may even need to re-think the general architecture so that the inbound email gets put into some kind of normal mail queue, and then scrubbed, and then passed into some kind of normal IMAP mailbox, and then PHP reads the IMAP mailbox, with PHP taking a "hands off" approach to the actual scrubbing. At least, that's the way *I* would do it. Errr, am doing it. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
