Shoutbox

Can I just add a question while we're on the subject of uploading:

The mime-type is sent by the browser in the headers before the file is sent, or is it stored inside the file somehow? The reason I ask this is that if it's sent by the browser it is possible to fake it, and so upload a .php file pretending to be image/png or something else because only the mime-types are checked...

quote:

---

Originally posted by Segosa
Can I just add a question while we're on the subject of uploading:

The mime-type is sent by the browser in the headers before the file is sent, or is it stored inside the file somehow? The reason I ask this is that if it's sent by the browser it is possible to fake it, and so upload a .php file pretending to be image/png or something else because only the mime-types are checked...

---

in order to upload the .php file as an image as you are describing, a setting in apache would need to be changed in the mime.types file.

quote:

---

Originally posted by WDZ
I'd probably do something like this...

code:

---

$types = array("image/gif", "image/pjpeg", "image/bmp", "video/mpeg", "video/x-msvideo", "image/png", "application/x-shockwave-flash");
if(in_array($HTTP_POST_FILES['file']['type'], $types)) {

---

---

thanks.

It is completely possible to fake a mime type when uploading a file, so I strongly recommend also checking the extension, especially if you're going to store the file on your web server in a publically-accessable location with its original filename.

I assume that browsers get their mime types from the registry. For example, if you browse to HKEY_CLASSES_ROOT\.jpg, you will see a value called "Content Type" set to "image/jpeg." If a certain type of file is not in the registry, a generic type like "application/octet-stream" or "text/plain" will be used.

Another possibility is that the browser reads the first few bytes of the file, looking for common headers, such as "GIF89a" for a gif image. I think I'll research this further...

quote:

---

Originally posted by megamuff
in order to upload the .php file as an image as you are describing, a setting in apache would need to be changed in the mime.types file.

---

Uhh, you're obviously not on the same page.

Maybe a server-side mimetyping script or class wouldn't be any bad...

Anyway, I gave Matty some hints on Messenger already. He only needs to assure he's uploading mp3's, so extension and mime/type check is the least he can do for now.

quote:

---

Originally posted by WDZ
It is completely possible to fake a mime type when uploading a file, so I strongly recommend also checking the extension, especially if you're going to store the file on your web server in a publically-accessable location with its original filename.

I assume that browsers get their mime types from the registry. For example, if you browse to HKEY_CLASSES_ROOT\.jpg, you will see a value called "Content Type" set to "image/jpeg." If a certain type of file is not in the registry, a generic type like "application/octet-stream" or "text/plain" will be used.

Another possibility is that the browser reads the first few bytes of the file, looking for common headers, such as "GIF89a" for a gif image. I think I'll research this further...

---

Well, I tried it out.

I found out where Firefox got its mime-types from (C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profile>\mimeTypes.rdf) and added an entry for .php:

code:

---

  <RDF: Description RDF:about="urn:mimetype:image/png"
                   NC:value="image/png"
                   NC:editable="true"
                   NC:fileExtensions="php"
                   NC: description="PHP File">
    <NC:handlerProp RDF:resource="urn:mimetype:handler:image/png"/>
  </RDF: Description>

---

making Firefox think it's actually image/png. I created a PHP upload script which only made a check on the mime-type:

code:

---

if ($_FILES['file']['type'] == "image/png")

---

and tried uploading a .png, it worked fine. I created a .php and uploaded, and that uploaded fine too.

quote:

---

Originally posted by Segosa
I found out where Firefox got its mime-types from (C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profile>\mimeTypes.rdf) and added an entry for .php:

---

Ah, interesting. Maybe only MSIE gets its types from the registry. I wonder about Opera now...

Hmm... I found a section in the config file (opera6.ini) where many mime types are associated with extensions, so that could be it.