View previous topic :: View next topic |
Author |
Message |
RTAdams89 -
Joined: 06 Nov 2005 Posts: 102
|
Posted: Tue Jan 23, 2007 9:52 pm Post subject: JPEG MIME type issues |
|
|
I have a PHP script that allows users to upload an image to a directory. Before allowing the upload it does a check of the MIME type to verify it is a JPEG image. I had it set to allow only 'image/jpeg' or 'image/pjpeg' files to be uploaded. When I tried to upload a test image from my computer it worked fine. However, from another computer, the same image would be blocked. I discovered this was because the image was being detected as a 'image/jpg'. Why would the same image be reported as 'image/jpg' from one computer and 'image/jpeg' from a different computer? |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Tue Jan 23, 2007 9:58 pm Post subject: |
|
|
The browser. pjpeg is for IE, and jpeg is for FF. Its a stupid thing but I had to correct it on my script to check for both. _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
cmxflash -
Joined: 11 Dec 2004 Posts: 872
|
Posted: Wed Jan 24, 2007 5:11 pm Post subject: |
|
|
Relying on the MIME-type is a big security risk. You should check the extension of the file instead, since the MIME-type is easily spoofed.
(Example: rename a jpeg-image to .php and upload it. The server will accept it and run any included PHP-code in the 'image') |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Wed Jan 24, 2007 6:06 pm Post subject: |
|
|
I use both for my script so that shouldn't be a problem for me. But yes, this is a big security risk. _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Thu Jan 25, 2007 11:40 am Post subject: |
|
|
In PHP, you should use the exif_imagetype() function in PHP http://www.php.net/manual/en/function.exif-imagetype.php to determine the image type from the contents of the file (without relying on the extension or on the MIME type that could be forged or wrong).
In other languages, a similar feature could be achieved with external libraries. On Unix systems, there is even a command ("file") which can detect the type of a file by scanning its contents. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
Yami King -
Joined: 08 Sep 2005 Posts: 120
|
Posted: Fri Feb 09, 2007 8:58 am Post subject: |
|
|
You could also use a system command in Windows. Don't know the exact command, but I friend of mine always uses it (though I won't recommend it) |
|
Back to top |
|
|
|