JPEG MIME type issues

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
RTAdams89
-


Joined: 06 Nov 2005
Posts: 102

PostPosted: Tue Jan 23, 2007 9:52 pm    Post subject: JPEG MIME type issues Reply with quote

I have a PHP script that allows users to upload an image to a directory. Before allowing the upload it does a check of the MIME type to verify it is a JPEG image. I had it set to allow only 'image/jpeg' or 'image/pjpeg' files to be uploaded. When I tried to upload a test image from my computer it worked fine. However, from another computer, the same image would be blocked. I discovered this was because the image was being detected as a 'image/jpg'. Why would the same image be reported as 'image/jpg' from one computer and 'image/jpeg' from a different computer?
Back to top View user's profile Send private message
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Tue Jan 23, 2007 9:58 pm    Post subject: Reply with quote

The browser. pjpeg is for IE, and jpeg is for FF. Its a stupid thing but I had to correct it on my script to check for both.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
cmxflash
-


Joined: 11 Dec 2004
Posts: 872

PostPosted: Wed Jan 24, 2007 5:11 pm    Post subject: Reply with quote

Relying on the MIME-type is a big security risk. You should check the extension of the file instead, since the MIME-type is easily spoofed.

(Example: rename a jpeg-image to .php and upload it. The server will accept it and run any included PHP-code in the 'image')
Back to top View user's profile Send private message
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Wed Jan 24, 2007 6:06 pm    Post subject: Reply with quote

I use both for my script so that shouldn't be a problem for me. But yes, this is a big security risk.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Thu Jan 25, 2007 11:40 am    Post subject: Reply with quote

In PHP, you should use the exif_imagetype() function in PHP http://www.php.net/manual/en/function.exif-imagetype.php to determine the image type from the contents of the file (without relying on the extension or on the MIME type that could be forged or wrong).

In other languages, a similar feature could be achieved with external libraries. On Unix systems, there is even a command ("file") which can detect the type of a file by scanning its contents.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Yami King
-


Joined: 08 Sep 2005
Posts: 120

PostPosted: Fri Feb 09, 2007 8:58 am    Post subject: Reply with quote

You could also use a system command in Windows. Don't know the exact command, but I friend of mine always uses it (though I won't recommend it)
Back to top View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group