Re: [mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Reindl H. <h.r...@th...> - 2015-12-08 14:10:10
|
Am 08.12.2015 um 15:00 schrieb Felipe Costa:
>> the reason for calling the file-command is that on Fedora that package
>> is typically recent while the native php-functions are proven to often
>> detect the wrong mimetypes even for gif-images and the bundeled
>> php-stuff don't see much updates to fix the error in a timely manner if ever
>>
>> ob_start();
>> passthru('/usr/bin/file -b --mime-type ' .
>> escapeshellarg($_SERVER['argv'][1]));
>> $mime_type = trim(ob_get_clean());
>> switch(in_array($mime_type, $allowed_mimetypes))
>> {
>> case true: exit("1: upload mime-type '" . $mime_type . "'
>> allowed\n"); break;
>> case false: exit("0: upload mime-type '" . $mime_type . "' not
>> allowed\n"); break;
>> }
>
> I always look to that script integration to something easy to be be deployed and
> tested, but later to be transformed into an operator and/or variables for
> performance boost. It does not means that you cannot use in production, just saying
> that it opens the possibility for a fast prototyping.
clear, hence my hint that something like @inspectMimeType and a
configureable whitelist of allowed upload-mimetypes would be a nice thing
> I understand your need with the `file' example, but, do you think you can achieve
> the same level of “functionality” by using a python script?
>
> In python it will be something like (not tested):
>
> import magic
> mime = magic.Magic(mime=True)
> allowed = ["text/plain", "text/something"]
>
> for i in modsec.transaction.file_tmpnames:
> mime_type = mime.from_file(i)
> if not mime_type in allowed:
> return [0, "upload mime-type ‘…’ not allowed"]
>
> What do you think?
surely, the reason for PHP is that all our internal developments like
cms-systems, frameworks, admin-backends and deployment/automation are
written in PHP and so after 13 years there is a fat library of well
tested and on all servers deployed code
so when i have tomorrow an idea that it makes sense to include some
database content in that check-script it's 5 lines code to marry it with
whatever admin tool or internal webservice :-)
|
