> There is a directive to turn off uploads altogether. I don't see us going > beyond that. How are we supposed to detect executables? An executable is > extremely platform-dependant. I suppose we could suck all the code from > the UNIX 'file' command into PHP and try to determine a filetype from the > magic byytes, but to what end? What exactly are you trying to protect > against here?
well, i was more thinking of, by default, only allowing say images, documents and compressed files. i can fully understand that determining an executable is a mean task, and way out of the scope for what PHP needs to be. but PHP already has the in built functionality to check a file type, same way as i would check a file when i have an upload script. > My point is that we have no way of knowing what is dangerous and what > isn't. This is something the application developer will have to determine > in his receiving script. i just think that if there's a default setting, it'll cure a lot of the problems we get with un-educated users created wild upload scripts. most things can be dangerous in one form or another, but would taking a few steps like this really be more effort than it's worth? i know it's a bit of kindergarten teaching for people that really should know better, but it's evident just from the lists that it happens quite often. thanks for the response anyhow :) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
