At 11:45 PM +1100 12/16/08, Tim Starling wrote:
I thought the list might be interested in a tutorial for secure
web-based file uploads that I just wrote:
http://tstarling.com/blog/2008/12/secure-web-uploads/
-- Tim Starling
Tim:
That's a good read -- thanks -- but it's more of an article than a tutorial.
In any event, instead of posting to your blog, I though starting a
dialog here might serve the php community better. So here goes:
In your blog you suggest looking for the magic number in image files
and not using getimagesize(). So what about this approach?
1. Restrict the File-Type.
2. Pass the file through exif_read_data() and see if File-Type and
MimeType match.
3. Resize the image.
Do you see any security problems this?
I can't imagine evil code still working after someone resizes the file.
Cheers,
tedd
PS: here's an example of both getimagesize() and exif_read_data():
http://webbytedd.com/bb/image-data/
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
