the secure PHP framework


Uploaded file extension checking in photo module

Joe Schmoe
18 December 2018, 00:04
Just wanted to point out that its probably a bad idea to rely on the browser supplied file type for file uploads.

Better to use mime_content_type() to get the correct extension.

modes/cms/photo.php: Line 182
Hugo Leisink
18 December 2018, 17:37
That is indeed the case for files which are used in a sensitive process, but this is just an image that is uploaded as-is. And the upload functionality is not available for normal users, only for the website owner. I'm not going to build in protection against website owners who want to mess up their own website. But thanks anyway for telling me.