On Mon, 2008-11-03 at 13:46, Ed Trager wrote:
at the *nix file command source code, I bet you could fairly easily
find a reference to the magic file header bytes that are used to
detect TTF/OTF files and then add this to the getId3() stuff, assuming
that getId3() is well-written.
OpenType
2008/11/3 Brendan Ferguson [EMAIL PROTECTED]:
I have joined the development mailing list. Waiting for my fist mail.
Which dev list? :-)
One note of concern that I will research. If someone starts with a .html
file and adds php content, then uploads it and renames it to .php, a script
could
Sounds like you are an expert around here :-)
But I have not done any coding in 4 years..
Brendan
___
Openfontlibrary mailing list
Openfontlibrary@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/openfontlibrary
Hi,
Dave Crossland wrote:
2008/11/3 Brendan Ferguson [EMAIL PROTECTED]:
Getting the
file onto the server is the first big step in launching an attack.
We can set the webserver to send files for download, so neither the
webserver or webbrowser will interpret them.
So could we
We can set the webserver to send files for download, so neither the
webserver or webbrowser will interpret them.
I imagine that even if the files are set for download, they will be
interpreted. If say I setup a GIF for PHP to run through it, and then
force the download header, it will
On Tue, 2008-11-04 at 08:20 +, Dave Crossland wrote:
2008/11/3 Ed Trager [EMAIL PROTECTED]:
The PHP getId3() library is at http://getid3.sourceforge.net/. It
might be worth looking into how to expand this library to recognize
the TTF and OTF file headers, perhaps? The idea here
2008/11/4 Brendan Ferguson [EMAIL PROTECTED]:
This is not really my area of expertise. I was primarily a php
programmer who made websites, content management systems and such.
Also did website design using DHTML and Usability.
Sounds like you are an expert around here :-)
The extent of unix
2008/11/4 Brendan Ferguson [EMAIL PROTECTED]:
Say, will any of the font source files read like a unix script file with #!/
as the first bits of information in the file?
Maybe. There is a font on OFLB now that is a SFD and has a
makeOTF.sh file uploaded too. I forget which one though :(
2008/11/3 Ed Trager [EMAIL PROTECTED]:
The PHP getId3() library is at http://getid3.sourceforge.net/. It
might be worth looking into how to expand this library to recognize
the TTF and OTF file headers, perhaps? The idea here seems quite
similar to what the *Nix file command does. If
2008/11/3 Brendan Ferguson [EMAIL PROTECTED]:
By headers Ed means the first few bytes of the file. So the file
command does indeed identify PHP files perfectly:
I will take your word on it. I am clearly not up to date on this.
Pehraps the file manual will help? :-)
$ man file
Will it
2008/11/3 Brendan Ferguson [EMAIL PROTECTED]:
It sounds like you are describing user security. This is really a server
security issue for me.
Take a PHP file. What headers will it have? NONE!
By headers Ed means the first few bytes of the file. So the file
command does indeed identify PHP
Hi,
Just to add a bookend: ccHost ships with two means of filtering files.
Both are additive - IOW nothing is allowed until explicitly permitted (I
prefer thi, and ccHost is at v5...)
The two methods:
- clever: getID3 (php file identifying lib). Useless to OFLB ATM as
nobody's added and fonts
Hi, Brendan,
The PHP getId3() library is at http://getid3.sourceforge.net/. It
might be worth looking into how to expand this library to recognize
the TTF and OTF file headers, perhaps? The idea here seems quite
similar to what the *Nix file command does. If someone were to look
at the *nix
Yes, I think worthy. We have done this for SVG on http://openclipart.org
Its for more than just id3 now ;) Should be more like
readWriteMetadataWithPHP()
;)
Jon
On Mon, 2008-11-03 at 16:46 -0500, Ed Trager wrote:
Hi, Brendan,
The PHP getId3() library is at http://getid3.sourceforge.net/.
2008/11/2 Brendan Ferguson [EMAIL PROTECTED]:
(c) when any individual files are added to the typeface, create a new
zip that includes everything
For what reason? Downloading? Is this essential or ideal?
Here is the use-case scenario that this is for:
Mary, soccer mom and scrap book
One can always change a file name extension to something else, so
testing against the file extension is probably not useful. PHP's
$_FILES['userfile']['type'] will indicate the file's mime type if
provided by the browser, but I don't know how browsers determine the
mime type for uploaded files.
I suppose the Report possible License violation feature could be
duplicated/extended to Report possible malicious file so a simple
machine filter like file extensions would have a social safety net.
The *nix file command reads the file
headers and determines file type based on the pattern of
(c) when any individual files are added to the typeface, create a new
zip that includes everything
For what reason? Downloading? Is this essential or ideal?
(d) have the decompression work for any common format
(e) have the compression happen in a range of formats
So, everything is
18 matches
Mail list logo