18 Jan
2006
18 Jan
'06
11:39 a.m.
So killing MIME magic does not sound like a good idea to me. Since it takes our biggest upload securtiy away. Unless I am comlpetely wrong about the MIME, and in that case I sould love some explanation :)
Little security is gained by using MIME magic. It's being used so that it's a bit harder (not much) to upload doctored MIME type stuff... The real security is in the following lines which adds .txt to everything text. If you upload a .GIF which is not an image but an XSS JS and the MIME is text/plain so that IE will go guessing MIME type be it damned forever then if (((substr($file->filemime, 0, 5) == 'text/' will stop the parade. I am prety confident about losing this recently introduced functionality. Regards NK