Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60488 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41415 invoked from network); 6 May 2012 04:13:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 May 2012 04:13:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 69.28.242.152 as permitted sender) X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com X-Host-Fingerprint: 69.28.242.152 rproxy1-a.cypressintegrated.com Received: from [69.28.242.152] ([69.28.242.152:1518] helo=rproxy1-a.cypressintegrated.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6B/A3-30075-E6AF5AF4 for ; Sun, 06 May 2012 00:13:34 -0400 Received: from bad.dop.co ([192.168.87.152]) by rproxy1-a.cypressintegrated.com (Brand New Heavy v1.0) with ASMTP id QJT89031 for ; Sun, 06 May 2012 00:13:31 -0400 Date: Sun, 6 May 2012 00:13:45 -0400 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <609356174.20120506001345@cypressintegrated.com> To: internals@lists.php.net In-Reply-To: <557570e107fb3960b03f8b3c6a2b464e.squirrel@www.l-i-e.com> References: <58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com> <613522097.20120505140848@cypressintegrated.com> <4FA576EB.5040907@gmail.com> <557570e107fb3960b03f8b3c6a2b464e.squirrel@www.l-i-e.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] JPEG Upload From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman) > Or find a way to have (some of) your users have some level of trust. Or don't execute anyone's uploads. If you allow people to upload code, make them say it's code (via extension *and* by putting it in an executable area). It is not difficult to predict whether a file will be processed by PHP before worrying about what PHP would do with it. If people really worried as much as they claim to about execution of any old document, robots, htaccess, ds_stores -- and php.inis, for that matter -- would be considered highly dangerous. -- S.