Hi, On 24 February 2015 at 22:07, Stanislav Malyshev <smalys...@gmail.com> wrote: > Hi! > >> They'd need to upload with a matching file type. Instead of any file > > Not sure what you mean by that. phar can read tars, etc. AFAIK, can't > it? Also, phar archive has no requirement of being named something.phar, > afaik can be also named cuteponies.gif. E.g., I just did this:
Your example omitted the image validation step which would have noticed your attempt to upload a phar immediately. Add that and try again. It's not very fair to create a scenario with a total lack of any security, and then ignore that your code's problem is that gaping hole and NOT the minor extension filter on the far end. The control under debate was already provided with a preventable example by Yasuo pointing out how certain crafted images for file inclusion, which would bypass certain image validation checks, would indeed be preventable by his RFC. Please stick to what the RFC actually claims to do. Paddy -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
