On Tue, 2008-12-16 at 16:02 +0000, Peter Ford wrote: > tedd wrote: > > I can't imagine evil code still working after someone resizes the file. > > > > Yeah, but the uploaded OpenOffice Writer doc won't look too good either... :) > > I prefer to move files to an off-line store, run them through a unix 'file' > command (with a mime-type magic file) to get the mime-type, use that to decide > whether or not to accept, and then serve them back to clients through a > script. > As an optional step, on really paranoid systems, I run a virus scan over the > upload (with clamav, usually). > <troll> > I'm not exactly sure what all the fuss is about protecting IE users from > malicious code - if they care then they shouldn't be using IE, and if they > don't > care they shouldn't be on the internet. > </troll> > Tim's efforts do seem to be a bit of overkill... > > -- > Peter Ford phone: 01580 893333 > Developer fax: 01580 893399 > Justcroft International Ltd., Staplehurst, Kent > Go one further; punish all IE users by infecting them...
Hmm, OK, so not my best or most serious suggestion maybe. I've relied on having the OS report the file-type using the aforementioned file command, and it seems to work OK. For really paranoid systems, I store the file in a non web-accessible location and use a binary safe fopen() to stream the file to the user. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
