-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Gerard wrote: | Frank v Waveren (fvw.wikipediaml@var.cx) [050123 14:45]: |>The filetypes allowable for uploads were hurriedly limited a while |>back because of abuse, I suspect it's just that nobody thought of SVG. | | Does it check what the file actually is, or just check the extension?
Take a look at SpecialUpload.php some time. In summary, on upload we:
* Normalize the filename * Ensure the extension is in a whitelist * Ensure that no blacklisted extensions are present * For known image types, use the getimagesize() function to detect the file type and ensure that there is an identifiable header. ** If no type is detected for a known extension, the file is rejected. ** If the detected type does not match the given extension, the file is rejected. * Attempt to replicate Internet Explorer's HTML-detection heuristic to prevent scripting attacks using HTML+JavaScript embedded into a valid image file.
- -- brion vibber (brion @ pobox.com)