yii CMultiFileUpload security detect image type , by use other than ‘accept’=>‘jpg|png|gif’, I mean if create script file and named script.jpg and upload it’s will upload what the solution from security perspective .
yii CMultiFileUpload security detect image type , by use other than ‘accept’=>‘jpg|png|gif’, I mean if create script file and named script.jpg and upload it’s will upload what the solution from security perspective .
in the server side still you needs
to check if the uploaded files have
allowed types.
Also, not just the file extensions should be checked but the MIME type extracted by analyzing the part of the file (header aka magic bytes).
I also make sure the uploaded files are not accessible via webserver so they cannot be executed if a user finds a way to upload scripts or other malicious content.
Thank you for your help
I will add my sample code to check if it the correct way .
<?php echo $form->errorSummary(array($model,$post_pic)); ?>
$this->widget(‘CMultiFileUpload’,array(
'attribute'=>'name',
'model'=>$post_pic,
//'accept'=>'jpg|png|gif',
'max'=>3,
'remove'=>Yii::t('ui','Remove'),
//'denied'=>'', message that is displayed when a file type is not allowed
//'duplicate'=>'', message that is displayed when a file appears twice
'htmlOptions'=>array('size'=>25),
));
I comment the //‘accept’=>‘jpg|png|gif’, to validate from post_picture model
I have two model the post model and pos_picture
array(‘name’, ‘file’, ‘types’=>‘jpg, gif, png’),
that not work I can upload any file with any extension and validate from post_picture model not catch that file not image
And for mime type do yii check or I need to add that action to my code
And thank you for your help again
yii just allow the files with accepted extensions only but you have to check its mime type…