-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Gerard wrote:
| Frank v Waveren (fvw.wikipediaml(a)var.cx) [050123 14:45]:
|>The filetypes allowable for uploads were hurriedly limited a while
|>back because of abuse, I suspect it's just that nobody thought of SVG.
|
| Does it check what the file actually is, or just check the extension?
Take a look at SpecialUpload.php some time. In summary, on upload we:
* Normalize the filename
* Ensure the extension is in a whitelist
* Ensure that no blacklisted extensions are present
* For known image types, use the getimagesize() function to detect the
file type and ensure that there is an identifiable header.
** If no type is detected for a known extension, the file is rejected.
** If the detected type does not match the given extension, the file is
rejected.
* Attempt to replicate Internet Explorer's HTML-detection heuristic to
prevent scripting attacks using HTML+JavaScript embedded into a valid
image file.
- -- brion vibber (brion @
pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird -
http://enigmail.mozdev.org
iD8DBQFB9CvHwRnhpk1wk44RAsIcAKCSUqZ9P6rPqvBG8O5wLXiKmos83QCbBlsB
Q6k/mOkiuBr7WRXfhsf1gdw=
=75nP
-----END PGP SIGNATURE-----