verot.net

The class is configured by default with a standard set of MIME types. Just use it as it comes.Reply

where can I see this set if I wish to change it?Reply

just upload an exe file with this:

$handle->process($path);
$handle->mime_check = true;
$handle->file_safe_name = true;
$handle->file_overwrite = true;

file uploaded correctly... ?Reply

You have to set the options before calling process()

As for changing the MIME types, look in the doc for the options allowed and forbiddenReply

Same...
With option before the exe file is still uploaded...

I have found in the code the switch will all the mime...Reply

Copy here your code and the log produced by the classReply

if ($lang = 'fra') $locale = 'fr_FR';
if ($lang = 'eng') $locale = 'en_EN';
if ($lang = 'deu') $locale = 'de_DE';
$doc = $_FILES['userfile']['name'];
$path = "modules/Samples/files/$folder/";
$handle = new upload($_FILES['userfile'],$locale);
if ($handle->uploaded) {                      
  $handle->mime_check = true;
  $handle->file_safe_name = true;
  $handle->file_overwrite = true;
  $handle->process($path);
  if ($handle->processed) {
    echo 'file uploaded';
    $handle->clean();
  } else {
    echo 'error : ' . $handle->error;
  }
}

nothing in the log...

Tried to purchase your software, is it the same as giving money.
You send the invoice after?Reply

For the log, output $handle->log at the end

I can send an invoice after the purchase, no problems. Send me your company name and address after the payment, and I will issue the invoice.Reply

Can't have the log to output someting.... screen or file log??Reply

Just add the following code after calling process()

echo $handle->log;

Reply

i did it... :(Reply

Got it !
system information
- class version : 0.29
- operating system : WINNT
- PHP version : 5.2.10
- GD version : 2.0.34
- supported image types : png jpg gif bmp
- open_basedir : no restriction
- language : de_DE
source is an uploaded file
- upload OK
- file name OK
determining MIME type
- Checking MIME type with Fileinfo PECL extension
Fileinfo PECL extension not available
- Checking MIME type with UNIX file() command
UNIX file() command not availabled
- Checking MIME type with mime.magic file (mime_content_type())
mime_content_type() is not available
- Checking MIME type with getimagesize()
getimagesize() failed
- MIME type detected as application/octet-stream by browser
- MIME validated as application/octet-stream
- Flash may be rewriting MIME as application/octet-stream
- Try to guess MIME type from file extension (exe): doesn't look like anything known
source variables
- You can use all these before calling process()
file_src_name : AirFranceTravelDeskFR.exe
file_src_name_body : AirFranceTravelDeskFR
file_src_name_ext : exe
file_src_pathname : D:\www\phpTemp\php9825.tmp
file_src_mime : application/octet-stream
file_src_size : 3327918 (max= 83886080)
file_src_error : 0
process file to modules/Samples/files/SA898/\
- file size OK
- file mime OK : application/octet-stream
- file name safe format
- destination variables
file_dst_path : modules/Samples/files/SA898/\
file_dst_name_body : AirFranceTravelDeskFR
file_dst_name_ext : exe
- no image operation, keep extension
- no auto_rename if same filename exists
- destination file details
file_dst_name : AirFranceTravelDeskFR.exe
file_dst_pathname : modules/Samples/files/SA898/\AirFranceTravelDeskFR.exe
- no overwrite checking
- no image processing wanted
- process OKReply

Are you using a Flash uploader? Flash rewrites all MIME types to application/octet-stream, so the class can only rely on the file extension.

I see that none of the MIME detection method are enabled on your server, and you are using a Windows server. So your system cannot determine the MIME type reliably. You should set up your server so that it can detect MIME types, or use a proper operating system for a server (Linux, BSD...)

In any case, the class on your system can only determine the MIME to be application/octet-stream for extensions it doesn't know. exe extensions are not known, so it falls back to application/octet-stream.

You can forbid the MIME application/octet-stream to prevent such files to be uploaded. But then it is really easy to spoof an upload, as in your case the class is forced to rely on the file extension. In other words, whatever you try to do to restrict the MIME types which can be uploaded, you cannot have something secure: just changing the file extension will allow an attacker to upload any file he wants.

My suggestion: use a proper operating system, or at least make sure that MIME detection is enabled on your system. Without this, you will not be able to secure your uploads.Reply