On Thu, 31 Jul 2003, skate wrote: > > There is a directive to turn off uploads altogether. I don't see us going > > beyond that. How are we supposed to detect executables? An executable is > > extremely platform-dependant. I suppose we could suck all the code from > > the UNIX 'file' command into PHP and try to determine a filetype from the > > magic byytes, but to what end? What exactly are you trying to protect > > against here? > > well, i was more thinking of, by default, only allowing say images, > documents and compressed files.
What is a document? Like I said, if the server is configured to parse PHP tags out of .html files, which is rather common, then even uploading a .html file is unsafe. A straight .txt file could potentially be unsafe while an executable is completely safe because there is unlikely to be a server configuration that would enable this executable to actually be executed. Are you worried about client-side security when you talk about blocking executables from being uploaded? As in uploading an executable that is then later downloaded by someone else and run? Because surely, uploading an executable is unlikely to be a problem on the server. We could put in a mime-type filter, but that would act on the client-provided mime-type which is rather unreliable. Perhaps couple that with mime-magic checking and I guess it could be useful as an optional ini directive. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
