Menu
▾
▴
Re: [Phpwebsite-developers] Security Question
|
From: Jim W. <spi...@us...> - 2005-04-28 01:54:30
|
> From: Matthew McNaney <snip> > My question: is this sufficient? I have turned the security parser to > FALSE (i.e. off) in CVS to try and prevent these problems. I would like > some feedback as to whether this will make phpWebSite insecure. > Would either of these ideas help? 1) Check mime types against actual file content instead of scanning for code. Generally, binary files contain a header that provides content identification. phpWS is parsing a the whole file for a short list of tags/functions, but realistically what does that file need to look like in order to actually be executable? If the type is jpg and the the lead in bytes are the same as a valid jpg header, can we assume the file is secure and will be non-executable? I'm not sure...just asking. 2) Set the default back to true (err on the side of safey). Provide a verbose error message so that the user and or the admin can see exactly what happened, why it happened, and how to fix it if they choose to take the risk. Multi-level approach, defaulting to "TRUE" on all levels sounds good to me. Best regards, Jim Wilson |
