Banshee
the secure PHP framework

Forum

Uploaded file extension checking in photo module

Joe Schmoe
18 december 2018, 00:04
Just wanted to point out that its probably a bad idea to rely on the browser supplied file type for file uploads.

https://php.net/manual/en/reserved.variables.files.php#109902

Better to use mime_content_type() to get the correct extension.

modes/cms/photo.php: Line 182
Hugo Leisink
18 december 2018, 17:37
That is indeed the case for files which are used in a sensitive process, but this is just an image that is uploaded as-is. And the upload functionality is not available for normal users, only for the website owner. I'm not going to build in protection against website owners who want to mess up their own website. But thanks anyway for telling me.
Message preview

The following BB-codes are available in a message:

  • [b]Bold text[/b]
  • [center]Center text or imagen[/center]
  • [color=color name or #RGB code]Colored text[/color]
  • [i]Italic text[/i]
  • [img]Link to image[/img]
  • [right]Align text or image right[/right]
  • [s]Strike-through text[/s]
  • [size=pixelsize]Big or small text[/size]
  • [u]Underlined text[/u]
  • [url]Link to website[/url]
  • [url=link to website]Link text[/url]
Back
Built upon the Banshee PHP framework v6.3CMS