At 2:32 PM -0400 6/20/07, Guillaume Theoret wrote:
Thanks for the link. I got worried for a second that my code could be exploited so I did a quick check to make sure that mime-types were correct. (I check the mime type to make sure it's an image, not the file extension.) I renamed a .jpg file .jpg.php and uploaded it and got application/x-php as a mime type. Is there a way to fake the mime type of what you've uploaded so that this exploit is still possible? Should I be checking both mime types and file extensions?
From what I've read, yes -- check for both file type and extension. Don't allow an "image" file to have a php extension and don't believe that a simple check into mime type will suffice.
If you are worried about evil code being in the image, you could always resample the image (larger or smaller). Not that I have personal experience, but I would think that any piece of code that is resampled is going to have a difficult time running.
Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
