Peter Ford wrote: > tedd wrote: > >> I can't imagine evil code still working after someone resizes the file. >> >> > > Yeah, but the uploaded OpenOffice Writer doc won't look too good either... :) > > I prefer to move files to an off-line store, run them through a unix 'file' > command (with a mime-type magic file) to get the mime-type, use that to decide > whether or not to accept, and then serve them back to clients through a > script. > As an optional step, on really paranoid systems, I run a virus scan over the > upload (with clamav, usually).
There are some file types, such as .png and .wav, where that approach is not at all secure. The file command will tell you that the file is image/png, but IE 6 will detect it as text/html and run scripts in it. The ClamAV step is almost pointless. It does nothing to deter an attacker who is targeting your site specifically. -- Tim Starling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
