save permission value for uploading images?

[elck]

Hi!

I frequently use scripts that allow my visitors to upload pictures.
Of course I check for the right filetype etc. but the only way I get it to work is by having a directory with permission set to 0777.

A couple of times I found scripts in that directory that I had not put there!

Is there a way that maybe uses CHMOD to only allow uploads through the script, or another way to avoid this?
Maybe not 0777 but another value?
Or did I make a mistake?
Or is there another leak?

 

[Olavxxx]

maybe you are not checking filetype good enough..
try to check something which will only work for an image, maybe dimensions, or use some image-functions on it.

if (functio(image)) {
copy image
}

else {
discard image
}

eg. if the image function (which ever you choose) fails, it most likely is not an image.
the mime-checking capabilities of php, is limited, also extension-checking is not enough.

you could try making a thumb of the image, etc. if it fails, it most likely is not an image, or the image is corrupt.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[BabyJeffy]

you could try making a thumb of the image, etc. if it fails, it most likely is not an image, or the image is corrupt.

Now that's a decent suggestion.

Jeff

[tt]Jeff's Page [/tt][tt]@[/tt][tt] Code Couch

http://www.codecouch.com/jeff/

[/tt]

 

[elck]

I guess there is another leak somewhere,
I thought the 0777 file permission was the culprit.

My script only copies the upload if the extention is ok.
But the foreign scripts that I found had .php extentions.

Thanks for the ideas anyway