As we discussed on irc, mime_magic is now deprecated, there is currently no function
available to detirmine mimetype without pecl/pear.
You could use exec('file -bi'..) or some other fallback or ugly hack that only increases
code complexity and does not lend portability as they tend to be system/os specific.
I think its reasonable for develpers to have access to this functionality without
the need to install pecl/pear additions which in a hosting environment may not
be possible.
Kind regards
Kevin
--
"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote."
As we discussed on irc, mime_magic is now deprecated, there is currently no function
available to detirmine mimetype without pecl/pear.
While mime_magic is deprecated, it does not mean it cannot be used.
So there certainly is a way to do it without PECL.
Also, to repeat myself here, there is also no way to use filepro database, hwapi, msession,
cpdf, dio, fam, ingres, mnogosearch, yp API, Ovrimos, PayFlow Pro and a bunch of other functions
without using PECL.
When we move something to PECL or deprecate a core extension in favor of its PECL analogue,
it does not mean the PECL extension should be moved into core, that's not the point.
Btw, quite a number of useful extensions were born in PECL and there are no plans of moving into core either.
I think its reasonable for develpers to have access to this functionality without
the need to install pecl/pear additions which in a hosting environment may not
be possible.
Anyone capable of installing core extension, is capable of installing an extension from PECL,
in most cases it's as easy as pecl install <name>.
I can't see how moving filepro into core would help those who cannot enable it anyway.
So, to make myself 100% clear, I'm certainly -1 on moving any more extensions to core, including fileinfo.
--
Wbr,
Antony Dovgal
This one time, at band camp, Antony Dovgal antony@zend.com wrote:
While mime_magic is deprecated, it does not mean it cannot be used.
So there certainly is a way to do it without PECL.
Currently, but it will be moved sometime in the future.
Anyone capable of installing core extension, is capable of installing an extension from PECL,
in most cases it's as easy aspecl install <name>.
Not everybody has access to this, particularly in a mutliple hosting environment.
I can't see how moving filepro into core would help those who cannot enable it anyway.
It would be nice to be able to verify/validate file types by mimetype with a simple core function
that is available on all platforms. If the only way of doing this is in PECL then portablity
is lost and so is any surity of what type of file an uploaded file may be, without resorting to hacks.
Kevin
--
"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote."
While mime_magic is deprecated, it does not mean it cannot be used.
So there certainly is a way to do it without PECL.
Currently, but it will be moved sometime in the future.Anyone capable of installing core extension, is capable of installing an extension from PECL,
in most cases it's as easy aspecl install <name>.
Not everybody has access to this, particularly in a mutliple hosting environment.
Sure, but the very same applies to core extensions.
It would be nice to be able to verify/validate file types by mimetype with a simple core function
that is available on all platforms. If the only way of doing this is in PECL then portablity
is lost and so is any surity of what type of file an uploaded file may be, without resorting to hacks.
Including an extension into the core does not mean it will become available on all hostings,
especially taking into account that this extension has an external dependency (libfile).
Also, I'm not sure I understand what portability you're talking about.
ext/mime_magic can be also missing if your sysadmin did not enable it when building PHP.
--
Wbr,
Antony Dovgal
Maybe it would be a good idea to have a list of recommended extensions
for hosting providers that states what functionality an extension
provides, what it depends upon and some brief analysis of runtime
overhead and possibilities of abuse. While this would obviously not
fully solve the problem it may encourage hosts to take extensions that
are not bundled with the default distribution into consideration. This
and similar suggestions could be grouped into some sort of guidelines
for hosting providers.
my 2c and regards,
Vlad Bosinceanu
Antony Dovgal wrote:
While mime_magic is deprecated, it does not mean it cannot be used.
So there certainly is a way to do it without PECL.
Currently, but it will be moved sometime in the future.Anyone capable of installing core extension, is capable of
installing an extension from PECL, in most cases it's as easy as
pecl install <name>.
Not everybody has access to this, particularly in a mutliple hosting
environment.Sure, but the very same applies to core extensions.
It would be nice to be able to verify/validate file types by mimetype
with a simple core function
that is available on all platforms. If the only way of doing this is
in PECL then portablity
is lost and so is any surity of what type of file an uploaded file
may be, without resorting to hacks.Including an extension into the core does not mean it will become
available on all hostings, especially taking into account that this
extension has an external dependency (libfile).Also, I'm not sure I understand what portability you're talking about.
ext/mime_magic can be also missing if your sysadmin did not enable it
when building PHP.
Maybe it would be a good idea to have a list of recommended extensions
for hosting providers that states what functionality an extension
provides, what it depends upon and some brief analysis of runtime
overhead and possibilities of abuse. While this would obviously not
fully solve the problem it may encourage hosts to take extensions that
are not bundled with the default distribution into consideration. This
and similar suggestions could be grouped into some sort of guidelines
for hosting providers.
I'm sure such a list would be certainly appreciated, though I don't believe it could change anything.
--
Wbr,
Antony Dovgal
Hi Antony,
Antony Dovgal wrote:
While mime_magic is deprecated, it does not mean it cannot be used.
So there certainly is a way to do it without PECL.
Currently, but it will be moved sometime in the future.Anyone capable of installing core extension, is capable of installing
an extension from PECL, in most cases it's as easy aspecl install <name>.
Not everybody has access to this, particularly in a mutliple hosting
environment.Sure, but the very same applies to core extensions.
however the just do ./configure without any additional options or just
add all enabling|--with params but are ignorant of PECL being existent.
Thus they think they have provided everything, though they haven't. Then
the process starts to ask for the installation of this or that PECL
extension :(
It would be nice to be able to verify/validate file types by mimetype
with a simple core function
that is available on all platforms. If the only way of doing this is
in PECL then portablity
is lost and so is any surity of what type of file an uploaded file may
be, without resorting to hacks.Including an extension into the core does not mean it will become
available on all hostings, especially taking into account that this
extension has an external dependency (libfile).Also, I'm not sure I understand what portability you're talking about.
ext/mime_magic can be also missing if your sysadmin did not enable it
when building PHP.
Andrey
This one time, at band camp, Antony Dovgal antony@zend.com wrote:
Also, to repeat myself here, there is also no way to use filepro database, hwapi, msession,
cpdf, dio, fam, ingres, mnogosearch, yp API, Ovrimos, PayFlow Pro and a bunch of other functions
without using PECL.
I appreciate your point about not having everything available to core. The extensions you
mention above are very specific to a task, where-as validating a file mimetype is quite a
generic procedure. To this end I would like to see more discussion on the topic. Its very
clear that you are not for it, but lets hear from others?
Kind regards
Kevin
--
"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote."
Hello,
I appreciate your point about not having everything available to core. The extensions you
mention above are very specific to a task, where-as validating a file mimetype is quite a
generic procedure. To this end I would like to see more discussion on the topic. Its very
clear that you are not for it, but lets hear from others?
I like to have fileinfo bundled.
--Pierre
Kevin Waterson wrote:
This one time, at band camp, Antony Dovgal antony@zend.com wrote:
Also, to repeat myself here, there is also no way to use filepro database, hwapi, msession,
cpdf, dio, fam, ingres, mnogosearch, yp API, Ovrimos, PayFlow Pro and a bunch of other functions
without using PECL.I appreciate your point about not having everything available to core. The extensions you
mention above are very specific to a task, where-as validating a file mimetype is quite a
generic procedure. To this end I would like to see more discussion on the topic. Its very
clear that you are not for it, but lets hear from others?
my opinion count for jack s*** around here but the way I see it if I have a function fopen()
as standard then I 'should' have a standard mechanism to figure out what kind of file
something is.
in practice I control all the servers I work on so doing 'pecl install fileinfo' is not a
big deal - but the majority of users don't have that privilege.
having fileinfo included as standard will hopefully encourage lots of projects (that are often
infamous for security flaws?) to do a little more than check a file's extension when dealing
with uploads?
Kind regards
Kevin
This one time, at band camp, Antony Dovgal antony@zend.com wrote:
Also, to repeat myself here, there is also no way to use filepro database, hwapi, msession,
cpdf, dio, fam, ingres, mnogosearch, yp API, Ovrimos, PayFlow Pro and a bunch of other functions
without using PECL.I appreciate your point about not having everything available to core.
The extensions you mention above are very specific to a task, where-as
validating a file mimetype is quite a generic procedure. To this end I
would like to see more discussion on the topic. Its very clear that
you are not for it, but lets hear from others?
I would also say it's something that many web applications require or
would benefit from.
regards,
Derick
When we move something to PECL or deprecate a core extension in favor of its
PECL analogue, it does not mean the PECL extension should be moved into core,
that's not the point.
Btw, quite a number of useful extensions were born in PECL and there are no
plans of moving into core either.
But I would think that while there is an extension in PECL that is
favoured over a deprecated extension in the core, we should be able to
swap it.
I think its reasonable for develpers to have access to this
functionality without the need to install pecl/pear additions which
in a hosting environment may not be possible.Anyone capable of installing core extension, is capable of installing an
extension from PECL, in most cases it's as easy aspecl install <name>.
Yes, but no hosters do that and I would actually push for turning this
very usefull extension on by default. I spoke with Ilia before and we
can most likely even bundle it when we make the library file in memory
as well. And I think we should improve the ext a bit and put it in.
regards,
Derick
Yes, but no hosters do that and I would actually push for turning this
very usefull extension on by default. I spoke with Ilia before and we
can most likely even bundle it when we make the library file in memory
as well. And I think we should improve the ext a bit and put it in.
It seems cheap enough and ubiquitous enough to belong in core to this
naive reader...
It can be a real hassle to write to a brain-dead webhost of a client
to convince them to add a PECL extension just so you can do some
fundamental sanity checks on an uploaded file to have some degree of
confidence that it's not evil content.
Asking the client to switch hosts is seldom an option.
Hacking something up with exec() or having to roll your own Mime Magic
for a distributed file upload library seems like a lot of developers
will be inconvenienced...
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?