Hi,

On Wed, Jul 03, 2002 at 07:48:27PM -0700, James Fleming wrote:
>
> I am building a system where the user can upload a
> file. I want to restrict the file types.

The clean (and secure) way is:

1. Find the specification of the file type you want to allow
2. Write code to check the uploaded file against the specification

Depending on the specific type you want to use, code in java may or may
not be available (e. g. in java.awt, or an XML-parser).

The quick-and-dirty(-and-insecure) way is the way the unix "file" utility
uses: apply heuristics (e. g. if a file starts with the characters "GIF8"
it is most likely a GIF image file).

> I know
> extension checking is futile (especially if youe a Mac
> user) so is there a bullet-proof way I can check a
> file type from the byte-stream or similar? I read
> about the Apache mime module but it wasn't clear to me
> as if the browser selects the mime type, then the
> adversary could change it pretty easily.

mod_mime only determines MIME types of outgoing data, i. e. file delivered
to the user. Also, it works on file extensions or location (director) info
only, not on the actual contents. mod_mime_magic uses file contents (actually
it is derived from the unix "file" command), but it also is only intended
for *outgoing* data.

Bye,
        Peter

-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18
63263 Neu-Isenburg

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]