Re: [mod-security-users] Validation type of upload files
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Validation type of upload files
|
From: Troy A. <tr...@ze...> - 2005-02-23 02:28:09
|
On Tue, Feb 22, 2005 at 11:33:08PM +0000, Ivan Ristic wrote: > Jochen Kaechelin wrote: > > > >Now I wan't to allow only image-files to be uploaded. > >But the following does not work: > > > > <Location /var/www/noeinfo.noe.de/upload/upload.php> > > SecFilterInheritance Off > > SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" > > </Location> > > > >What's wrong here? > > To restrict file uploads you have the following options: > > 1) Use an approver script > > 1a) If filtering using the extension is good enough for you > I am pretty sure the temporary file you get in the > approver script will have the same extension as the > original (sorry, I can't check at the moment). > > 1b) You don't have to rely on the extension -- you can have > a "smart" script figure out the actual content of the > file. Something like the "file" tool. This is slightly OT, but see the poorly named 'getimagesize()' php function: http://www.php.net/manual/en/function.getimagesize.php It returns an array of information about the given file, including its image type. It's safe to say that if it doesn't have a type and size, then it's not a valid image file. -troy |
