Al wrote:
Thanks guys.
I had written a newer version restricted to images which checks MIME and
image width and height.
I have one application which needs a text file. I think I'll have my
users hide a password in it and scan the whole file for <? an <?php and
other signs of scripts, etc.
Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The
hack code creates dirs with "nobody" ownership, so it's obvious stuff
is not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
Can anyone see a hole in this scrip? Can my code upload an executable
masquerading as an image file?
You probably need a deeper inspection than checking the extension - that's
Microsoft thinking...
You can't trust what the client is telling you - even the MIME type sent by the
browser is no guarantee.
Since you're on Linux, why not look at using the 'file' shell command to get a
more detailed inspection of the upload.
I made a basic function like this a few years ago - probably needs a bit of
tweaking:
<?php
function getMimeType($file)
{
global $magicFile;
$mimecmd = "/usr/bin/file -b -m ".escapeshellargs($magicFile)."
".escapeshellargs($file)." 2> /dev/null";
$ret = exec($mimecmd);
if (!$ret)
{
$ret = "unknown";
}
return $ret;
}
?>
The global $magicFile is the tricky bit - you need to find a nice Unix magic
numbers file that returns mime types (they're easier to parse than regular magic
number responses). Probably something like /usr/share/misc/magic.mime, but that
depends on the system.
--
Peter Ford phone: 01580 893333
Developer fax: 01580 893399
Justcroft International Ltd., Staplehurst, Kent
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
