Re: Protector protects from a legitimate upload.
List posts in the topic
Re: Protector protects from a legitimate upload.
msg# 1.5.1
When I had read the class of media uploader in the core from xoops.org 1~2 years ago, it didnot look well-designed.
Checking MIME is non-sense at all.
It's just a member of user's post.
Even image files you have to check their contents.
(by getimagesize() etc.)
There is a major and bad browser named "Microsoft Internet Explorer".
Since the idiot browser ignores the header of "Content-Type", storing HTML as gif makes XSS.
Of course, attackers can post HTML file as ".gif" and "image/gif".
Votes:17
Average:10.00
Posts tree