And (unless I’m out of touch with imaging developments) when testing the file extension against a whitelist of accepted extensions, it’s important to be very sure of your whitelist.
if (in_array($ext, ['jpg', 'gif', 'png','bnp']) ETA - apparently that last one actually is a file format, but probably not what the OP meant, before the legions of Sony HD camcorder users pick me up.
Incredible, I wasn’t aware of this but now that I checked it Apache by default executes pseudo-extensions like .php.jpg. Sometimes we want to preserve the original file name, in which case we might check for disallowed extensions, whether they are at the end or in the middle of the string:
if (preg_match('/\.(php\d?|phtml|phar)(\.|\z)/', $filename)) {
// forbidden filename...
}
Of course, we should check for allowed extensions regardless.
As an additional protection we can disable php execution altogether in the image directory and subdirectories, if we have apache in mod_php and .htaccess files are allowed then one of these lines in .htaccess should do it:
php_flag engine off
RemoveHandler .php
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.