Reply to Re: Vulnerability - bypassing no_script check

class.upload.php

class.upload.php is a powerful and mature PHP class to manage uploaded files, and manipulate images in many ways. The script is available under a GPL license.

more info about the class

Reply to Re: Vulnerability - bypassing no_script check

Re: Vulnerability - bypassing no_script check new!

# Reply

by colin, 16 years, 1 month ago

For extra security, you can have mime_content_type PHP extension enabled, and set the $handle->mime_magic_check to be true. That would double-check the MIME type, but at present, it will only give a warning. Probably I could have the process to fail if the detected MIME is different than the one set by the browser. I don't know if there would be some false positives.

You can harden the security a bit more by having a very restricted set of MIME types that you accept. Yes, the attacker can still fake it.

It is planned to implement the fileinfo support, which will allow for further MIME checks. It will also be helpful when uploading from a Flash uploader.

I will look more into it when I implement fileinfo and will try to implement a "paranoid" setting with more checks.Reply

Name *
Email
Title *
Text *
Enter the code displayed on the image: Click on the image to generate another one if it is hard to read it. The case is important

verot.net

quality web development

Overview

Download it!

Docs and support

Help out!

class.upload.php

Reply to Re: Vulnerability - bypassing no_script check

Your reply