Home/ Questions/Q 6338767
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T19:30:46+00:00

I am working on a PHP-based project management system that allows users to upload

  • 0

I am working on a PHP-based project management system that allows users to upload a variety of media files. To prevent users from uploading malicious files, the system verifies both the MIME type (using finfo_file) and the extension (using pathinfo) against a whitelist.

This has worked well, with one exception: .FLA (Flash movie authoring) files. Unfortunately, finfo_file can’t parse a MIME type for these files. Instead it returns this somewhat misleading error message:

“CDF V2 Document, corrupt: Cannot read summary info”

(I verified the test .FLAs I’m using aren’t actually corrupt.)

Obviously checking the extension only is insufficient, since all someone would have to do is give a malicious script an .FLA extension to bypass my safeguards. What else might I do to maximize the chances that an uploaded .FLA file is safe? (The system must support .FLA uploads — it’s non-negotiable.)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Can you restrict them to CS5 FLA’s? Because those are zip files with fairly simple content. You can call the following:

    <?php 
$za = new ZipArchive(); 

$arr = array();
$za->open('D:\\path\\to\\file.fla'); 
for( $i = 0; $i < $za->numFiles; $i++ ){ 
    $stat = $za->statIndex( $i ); 
    $arr[] = $stat['name']; 
} 
?>

    That should, give you these (as a minimum):

    mimetype
LIBRARY
META-INF
DOMDocument.xml
metadata.xml
PublishSettings.xml
MobileSettings.xml
SymDepend.cache

    The catch is that this only works for CS5 and it does not work consistently for files created in CS3 or 4.

    Of course, you should make sure that you prevent your server from having anything which can open an Adobe Creative Suite file of any form. and recommend anti-virus to your clientele.

    • 0