Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
It is said in many article about securing file upload that it is better to prepare a white list of extension instead of a blacklist. But it seems this method has some problem with double extension files. For example I have a whitelist like ‘pdf’,’doc’,’docx’ but this white list return true for apple.php.doc or apple.doc.php .
How can I write a secure extension check function?
you should try to understand the reasons for this, your question doesn’t make any sense.
the reason you shouldn’t allow any particular extension is that some webservers (like Apache) determine the way the files are server based on them, of course that only applies to files within the directories they’re serving publicly but most of the time the uploaded files go there so what happens when you allow an extension that the server will execute like .php is that it allows random people on the web to inject code on your site.
that doesn’t happen for .php.doc because the extension is still .doc and the server will treat it like that.
it’s worth mentioning that one can configure the webserver to not execute certain files within a directory but it’s not the default and few people actually do so.