Zend Framework

Zend_Validate_File_isImage doesn't allow all image mime types

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.10.0
  • Fix Version/s: 1.10.2
  • Component/s: Zend_Validate_File
  • Labels:
    None

Description

...
Within the constructor it defines all allowed image mime types but you can't define really all.
I think it's better to remove all 'image/*' types and add a simple 'image' to allowed mime list.

For example currently "image/pjpeg" isn't an image.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Thomas Weidner added a comment -

Nope:

This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted.

On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator.

The existing list of mimetypes is build from the official accepted mimetype list. You can still add own mimetypes or also set "images" when you want to get unsecure.

Other image-types could be added per request, but until now there was none.

Show
Thomas Weidner added a comment - Nope: This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted. On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator. The existing list of mimetypes is build from the official accepted mimetype list. You can still add own mimetypes or also set "images" when you want to get unsecure. Other image-types could be added per request, but until now there was none.
Hide
Permalink
Marc Bennewitz (GIATA mbH) added a comment -

> This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted.
He can set an own type to one of the accepted type (e.g. "image/jpeg"), too.
Additionally is has only effect if headerCheck is activated and no mimetype functions are available.

> On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator.
OK, this makes sense. But for example the mimetype "image/jpeg" passes on *.jgw (JPEG world file), too.

Show
Marc Bennewitz (GIATA mbH) added a comment - > This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted. He can set an own type to one of the accepted type (e.g. "image/jpeg"), too. Additionally is has only effect if headerCheck is activated and no mimetype functions are available. > On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator. OK, this makes sense. But for example the mimetype "image/jpeg" passes on *.jgw (JPEG world file), too.
Hide
Permalink
Thomas Weidner added a comment -

Fixed with r21138

Show
Thomas Weidner added a comment - Fixed with r21138

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.