One thing that I have noticed with uploading files in PHP is the ability
to embed scripts and have them execute on IE regardless of the
content-type specified.

In this case I want to enable site visitors to upload PDF documents for
other visitors to view.

The upload script has a number of simple checks for the uploaded document
(file name, check to see if the file extension ends with .PDF etc.) but it
seems that when uploading a file such as the following

-----test.pdf-------
<script language="javascript">
        alert('Javascript enabled');
</script>
-----end test.pdf----

and setting the following headers in a PHP script to display it back (the
PDF is stored in a database BLOB).

header("Content-type: application/pdf");
header("Content-Disposition: filename=test.pdf");

IE will still execute the Javascript! Netscape 6.x properly detects that
it is a corrupt PDF document, but for some reason IE still executes the
Javascript.

Is this a hole in IE that developers should be taking into consideration?

tested on IE 6.0.2600 (with HF's).

-Nik

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]