Reply to Re: Array of standard Mime document

Re: Array of standard Mime document new!
by colin, 14 years, 5 months ago
Are you using a Flash uploader? Flash rewrites all MIME types to application/octet-stream, so the class can only rely on the file extension.

I see that none of the MIME detection method are enabled on your server, and you are using a Windows server. So your system cannot determine the MIME type reliably. You should set up your server so that it can detect MIME types, or use a proper operating system for a server (Linux, BSD...)

In any case, the class on your system can only determine the MIME to be application/octet-stream for extensions it doesn't know. exe extensions are not known, so it falls back to application/octet-stream.

You can forbid the MIME application/octet-stream to prevent such files to be uploaded. But then it is really easy to spoof an upload, as in your case the class is forced to rely on the file extension. In other words, whatever you try to do to restrict the MIME types which can be uploaded, you cannot have something secure: just changing the file extension will allow an attacker to upload any file he wants.

My suggestion: use a proper operating system, or at least make sure that MIME detection is enabled on your system. Without this, you will not be able to secure your uploads.Reply

Your reply

Name *
Email 
Title *
Text *
CAPTCHA image
Enter the code displayed on the image:
Click on the image to generate another one if it is hard to read it. The case is important