Ticket #80 (closed Task: fixed)

Opened 8 years ago

Last modified 7 years ago

The PHP implementation must conform to our standards

Reported by: FredCK Owned by: wwalc
Priority: Normal Milestone: FCKeditor 2.5 Beta
Component: Server : PHP Version:
Keywords: Cc:

Description

Check that the PHP integration is ok with our standards, as defined at Server Side Integration Status.

Change History

comment:1 Changed 7 years ago by fredck

  • Owner FredCK deleted

comment:2 Changed 7 years ago by fredck

The following is a proposal from Nicolas Grekas to check if an image file is really an image:

if ( false === @getimagesize( $oFile['tmp_name'] ) )
	SendResults( '202' ) ;

comment:3 Changed 7 years ago by wwalc

  • Owner set to wwalc
  • Status changed from new to assigned

comment:4 Changed 7 years ago by wwalc

It's almost perfect solution, but unfortunately we should also take care about situation, where perfectly valid image file still contain HTML code inside.

It is described here: http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting

and some comments can be found here:

http://sla.ckers.org/forum/read.php?13,7019

I checked few open source projects to see how they handle image uploads and it seems that Mediawiki has very good solution for it. I borrowed their code and adjusted it for FCKeditor. Let me know guys what you think of it.

[684] (BTW. I'll adjust it to CodingStyle rules, sorry for that)

comment:5 Changed 7 years ago by wwalc

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.
© 2003 – 2012 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy