Peter Lind wrote: > I'm guessing you may have been referring to something like: > http://kestas.kuliukas.com/JavaScriptImage/ - this actually does seem > to be a valid threat to IE6 and would go undetected by the measures > proposed. Checking an image for <script> tags seems to the only way to > check if IE6 will render it as html and whether or not it will cause > problems. > > I don't know if the same vulnerability exists for pdfs - you'd have to > check security sources for it. > > Regards > Peter > THX now I understand why only the first Bytes are checked for tags. I'm not planing to support IE6. A message with an update link is displayed if IE6 enters the site. For other Browser the mime type check with imagick is enough security or are there better ways? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
