Re: security issues for allowing images to be uploaded to the server (Data::FormValidator helps)

I was just planning to post something about the new beta of Data::FormValidator I'd like folks to review, and this question is a great segue into that. :)

One of the new additions I'd like people to test for me is a new module to help you validate file uploads, especially images.

Download the beta (If that breaks, it may be because a newer version has been released)
The documentation
A example application (doesn't use file uploads)

Currently the module can validate your file based on file size, image dimensions, and file format (based on mime type and file extension). A patch to support magic numbers would be cool.

-mark

Comment on Re: security issues for allowing images to be uploaded to the server (Data::FormValidator helps)

Replies are listed 'Best First'.
Re: Re: security issues for allowing images to be uploaded to the server (Data::FormValidator helps) by submersible_toaster (Chaplain) on May 05, 2003 at 08:02 UTC
Not sure if you're already on the path but File::MMagic is a nice perl implementation for getting MIME type by magic! I can't believe it's not psellchecked	[reply]
Re: Re: Re: security issues for allowing images to be uploaded to the server (how well File::MMagic works) by markjugg (Curate) on May 05, 2003 at 20:35 UTC
Thanks for the pointer. I wasn't aware of File::MMagic, and it seems like a better solution than trusting either the mime type or extension that is sent with the file. Maybe I'll try "Magic" and if that fails, and if that can't be found, try the mime-type, and if we can't try that, check the extension. Can anyone vouch for the accuracy of File::MMagic for usual web upload cases? -mark	[reply]