Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60470
Return-Path: <ceo@l-i-e.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 58548 invoked from network); 5 May 2012 16:32:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 16:32:59 -0000
Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender)
X-PHP-List-Original-Sender: ceo@l-i-e.com
X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2)
Received: from [67.139.134.202] ([67.139.134.202:4044] helo=o2.hostbaby.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 17/F4-30075-73655AF4 for <internals@lists.php.net>; Sat, 05 May 2012 12:32:56 -0400
Received: (qmail 9035 invoked by uid 98); 5 May 2012 16:32:55 -0000
Received: from localhost by o2.hostbaby.com (envelope-from <ceo@l-i-e.com>, uid 1013) with qmail-scanner-2.05 
 ( 
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.036827 secs); 05 May 2012 16:32:55 -0000
Received: from localhost (HELO www.l-i-e.com) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 16:32:55 -0000
Received: from webmail
        (SquirrelMail authenticated user ceo@l-i-e.com)
        by www.l-i-e.com with HTTP;
        Sat, 5 May 2012 11:32:55 -0500
Message-ID: <b7af37b0e8d38a500944f542b7ff234e.squirrel@www.l-i-e.com>
Date: Sat, 5 May 2012 11:32:55 -0500
To: "internals@lists.php.net" <internals@lists.php.net>
User-Agent: SquirrelMail/1.4.21 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: JPEG Upload
From: ceo@l-i-e.com ("Richard Lynch")

On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote:
>In
> most systems you can upload *anything* with a .jpg extension and the
> app will take it, so you can still include the file

People don't use imagecreatefromjpeg() to be sure it isn't some ware
or executable or PHP script disguised as a JPEG?!

That's just crazy.

And inexcusable in a framework.

Somebody might be able to craft a "JPEG" that validates and still
manages to somehow parse some PHP in the middle... Probably using JPEG
comments so it's easier.

But on should at least you'd have some kind of validation on user input!

-- 
brain cancer update:
http://richardlynch.blogspot.com/search/label/brain%20tumor
Donate:
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE