On 6/20/07, tedd <tedd@xxxxxxxxxxxx> wrote:
At 2:32 PM -0400 6/20/07, Guillaume Theoret wrote: >Thanks for the link. > >I got worried for a second that my code could be exploited so I did a >quick check to make sure that mime-types were correct. (I check the >mime type to make sure it's an image, not the file extension.) I >renamed a .jpg file .jpg.php and uploaded it and got application/x-php >as a mime type. > >Is there a way to fake the mime type of what you've uploaded so that >this exploit is still possible? Should I be checking both mime types >and file extensions? From what I've read, yes -- check for both file type and extension. Don't allow an "image" file to have a php extension and don't believe that a simple check into mime type will suffice. If you are worried about evil code being in the image, you could always resample the image (larger or smaller). Not that I have personal experience, but I would think that any piece of code that is resampled is going to have a difficult time running. Cheers, tedd
Well, some smart guy could still come around ifhe knows how the file is resampled, as he would just need to the opposite, but that would only work if you go from gif to gif I think, Don't think it will be possible with JPEG or such... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
