Re: Mail Attachment Security

On Wed, 31 Jan 2007 00:31:40 -0000, gordonb.a68sj@xxxxxxxxxxx (Gordon
Burditt) wrote:

I have created a script which attaches form uploaded files to an
email. What security is suggested to prevent attachments which may
contain viruses, etc. from being uploaded?

If the uploaded file is coming from an untrusted source, don't trust
it. It's probably SPAM. The worst stuff is just straight text
files that contain stuff that infects human minds (like MAKE MONEY
FAST chain letters).

I am running finfo_file()
to determine the mime-types of the files being uploaded, so it should
easy to exclude certain types of files based on this, or the file's
extension.

Not nearly enough. MIME types and file names can be arbitrarly set to
misrepresent the contents.

While I may agree with you, my client wants an upload so that is what
she gets. I may have to send the mails via SMTP so they run through a
Brightmail service and then Spam Assassin instead of going directly to
her mailbox. I was just hoping for something a bit simpler.
.

Relevant Pages

  • Re: File Upload Question
    ... The user can certainly upload a file with a virus etc in it, ... Can you lock the file types or mime types down to restrict certain ... For one of our clients we only allow registered users to upload and we ... "magic bucket" quarantine system which sometimes means documents are ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Resizing Images
    ... and allowable upload file types. ... Add more mime types if you want ... $thumb = imagecreatetruecolor; ...
    (php.general)