I don't pay any attention to MIME sent by the client.
I check the MIME returned from getimagesize() and I'm not too certain of it. i need to do further
research.
I do check the images have width and height and I extract the embedded text stuff.
I'm going to look into your suggestion. Thanks.
Peter Ford wrote:
Al wrote:
Thanks guys.
I had written a newer version restricted to images which checks MIME
and image width and height.
I have one application which needs a text file. I think I'll have my
users hide a password in it and scan the whole file for <? an <?php
and other signs of scripts, etc.
Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The
hack code creates dirs with "nobody" ownership, so it's obvious stuff
is not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
Can anyone see a hole in this scrip? Can my code upload an executable
masquerading as an image file?
You probably need a deeper inspection than checking the extension -
that's Microsoft thinking...
You can't trust what the client is telling you - even the MIME type sent
by the browser is no guarantee.
Since you're on Linux, why not look at using the 'file' shell command to
get a more detailed inspection of the upload.
I made a basic function like this a few years ago - probably needs a bit
of tweaking:
<?php
function getMimeType($file)
{
global $magicFile;
$mimecmd = "/usr/bin/file -b -m ".escapeshellargs($magicFile)."
".escapeshellargs($file)." 2> /dev/null";
$ret = exec($mimecmd);
if (!$ret)
{
$ret = "unknown";
}
return $ret;
}
?>
The global $magicFile is the tricky bit - you need to find a nice Unix
magic numbers file that returns mime types (they're easier to parse than
regular magic number responses). Probably something like
/usr/share/misc/magic.mime, but that depends on the system.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
