"Domain nikha.org" <m...@nikha.org> wrote: >Ashley Sheridan am Dienstag, 24. September 2013 - 18:22: > >> In an earlier email I detailed some methods for validating other >types, such >as DomDocument for HTML, XML, svg, etc, or fpdf for PDF. >> >Fine, gratulations! > >> And on behalf images: GD you are using handles only >> >jpeg, gif and png. There are about hunderd other image types on the >> >way, >> >> At the moment those are the 3 raster formats you can use on the web, >so those >are the ones that pose an issue. If you're using anything else, it's >not for web >and doesn't need to be in a publicly accessible location. >> >Why that???!!! Why should users only upload files, that are used "for >web", and >what does this mean, "for web"? Users may store personal files on your >host, >because they use your website as a "cloud", as it is said today. Not >"for web",
Ok, imagine this scenario. A user uploads a .tif. this isn't a web format, so we treat it as a binary file, uploading to a non web accessible area of the site. Tell me again where the exploit is please. >but for personal use on everey computer connected to the internet! That >is >absolutly legitime and the ONLY reason to offer file uploading I can >imagine! I >allow it only for authenticated, subscribed users. > >Nevertheless those trusted users may upload (unintenionally!) infected >files. >And again: No virus was ever written "for web", Not exactly true, but beyond the scope of this discussion I think but to harm >computersystems, >clients and servers. They are just distributed via web. > >Whould be great we could block them, and I appreciate your efforts to >do this. >But sorry, your script shows me, that this cannot be done this way! Tell me how you would get a jpg past that example and I'll look into it, as I explained that was an example not a full solution. We don't tend to just write full code for people here. >Perhaps, if >you are right and GD processing really is harmless (I'm in doubt), Evidence? Either give some or stop saying GD isn't secure. The PHP community needs less hyperbole and more facts. we >have a >clean jpeg (or gif or png). And then? What's about the rest? > >Keep in mind, that PHP is a scripting framework to create websites, >certainly >not a tool for virus detection! And we have a big problem with the >Apache web >server, not because Apache serves possibly infected files, but because >all kind >of files are NOT served, but passed to the script interpreter! that's a bad Apache setup, which I'm not saying isn't a problem, but your original "solution" doesn't even cover validation. That's >awfull >enough, and opens a new exploit! > >> >> The hacker says: Hi, >> >this is a nice picture, play it, and then, please do this--follows >his >> >code, that can be a desaster for the whole system. >> >> Social engineering is a whole different issue. >> >yes, what I tried to describe is criminal. >Niklaus Thanks, Ash -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
