> On 03 Oct 2014, at 11:26 , li...@rhsoft.net wrote: > > > Am 03.10.2014 um 19:13 schrieb Philip Prindeville: >> I don’t necessarily trust just the extension of the filename. >> >> I’d also look at the file’s magic (same as the OS does) as well as the >> content-type. >> Can’t be too thorough > > that topic is not a matter of trusting
Exactly. > it's a matter of put different filters with differenct performance > and security impact in the right order - if the client announces > a banned extension you reject there is just nothing for file’s > magic because you don't reveive it And checking the file’s magic is expensive (especially if it’s in an archive). > everybody knows that you must not rely on extensions but keep in mind > that the "file" package not only once time had it's own security flaws > and some of them short ago so receive the attachment and inspect even > may lead in code execution on your server The extension check is also the simplest way to exclude files that will automatically execute on a Windows system (at least historically, and on far too many existing Windows XP installs). -- And she was looking at herself And things were looking like a movie She had a pleasant elevation She's moving out in all directions
