Am 03.10.2014 um 19:13 schrieb Philip Prindeville: > I don’t necessarily trust just the extension of the filename. > > I’d also look at the file’s magic (same as the OS does) as well as the > content-type. > Can’t be too thorough
that topic is not a matter of trusting it's a matter of put different filters with differenct performance and security impact in the right order - if the client announces a banned extension you reject there is just nothing for file’s magic because you don't reveive it everybody knows that you must not rely on extensions but keep in mind that the "file" package not only once time had it's own security flaws and some of them short ago so receive the attachment and inspect even may lead in code execution on your server the same applies to virus scanners and other content inspection that's why you want to reject things you don't want to receive for sure instead touch them with complex software after receive data
