Setting my own MIME Types

[HaLo2FrEeEk]

My server allows for setting custom mime types through htaccess, using this line:

 

AddType [mimetype name] [extension]

 

I am trying to set a custom mime type for files with ppf and sppf extensions, so I am using this:

 

AddType application/halo2-ppf ppf

AddType application/halo2-sppf sppf

 

Am I doing something wrong?  I added this to my top level htaccess file, it didn't work, so I added i to a htaccess file in the folder where the upload page is, and it still didn't work, am I doing something wrong?

[Voldemort]

application/halo2-ppf isn't an actual MIME type, as far as Google knows... you need to use something real, like application/x-httpd-php5 .php for PHP5.

[HaLo2FrEeEk]

php4, not 5, I can't use php5.  Anyways, I need the mime type to be a specific type so I can deny or accept the files being uploaded, but it keeps saying that they are

 

application/octet-stream

 

which is also executables and a lot of other filetypes, and NOT the ones I need.

[Voldemort]

application/halo2-ppf isn't an actual MIME type though - by custom MIME type it means custom extensions for pre-made MIMEs.

 

Valid:

AddType image/gif .gifimg

 

Invalid:

AddType madeup/mime-type .diffExt

 

Or if they do exist and Google is just crappin' out on me:

 

AddType application/halo2-ppf .ppf

AddType application/halo2-sppf .sppf

 

It has to be dotextension at the end

[Glyde]

According to filext, .ppf has a corresponding MIME type of application/ppf.  You can use that one.  However, it says .sppf doesn't exist.

Anyways, the way you are going about it is really an inaccurate way of trying this.  Anyone can upload an executable file but change the extension to .ppf, which will trick your server into believing it is a application/ppf file.

[HaLo2FrEeEk]

How would I check that the file is either a ppf or sppf?  I know that it can be done, imageshack and other hosting sites do it, I need to make this secure and simple for the users.

 

Also, all the sites I've looked on said that there needs to not be a dot:

 

extension = the file’s designation. This should not include a dot (.):  if the file’s extension is .jpeg, you should only enter jpeg.

[Glyde]

Well, you may or may not be able to find a simple but consistent header that is in all of the files.  Or possibly a footer than you can check for.

[MadTechie]

i guess you could read the image dim's and then use imagecreatefromjpeg($filename) and write the output to a file this could cause problems if the file isn't a jpeg

[Guest prozente]

When a file is uploaded check the files extension, that's all you need. Checking the MIME shouldn't be trusted and you don't have control over it anyway. The MIME type of files being uploaded to your server is set by the users browser. You can only control MIME on files being downloaded from your server.

[Glyde]

When a file is uploaded check the files extension, that's all you need. Checking the MIME shouldn't be trusted and you don't have control over it anyway. The MIME type of files being uploaded to your server is set by the users browser. You can only control MIME on files being downloaded from your server.

Hah, that's funny.  You say the MIME can't be trusted.  What if I had an exe file, and used Windows magical "Rename" tool to change the exe to a ppf and upload it.

[MadTechie]

you can create a false mine type and of course changing the extension is easy hence my idea if rebuilding the image.. using the GD library 

[Guest prozente]

When a file is uploaded check the files extension, that's all you need. Checking the MIME shouldn't be trusted and you don't have control over it anyway. The MIME type of files being uploaded to your server is set by the users browser. You can only control MIME on files being downloaded from your server.

Hah, that's funny.  You say the MIME can't be trusted.  What if I had an exe file, and used Windows magical "Rename" tool to change the exe to a ppf and upload it.

What's your point? ppf files aren't executable.

[Glyde]

Doesn't matter if it's .ppf, .asjdfg, .jga or .fhg the point is, it's still an executable file, just not with that extension.  The only reason is because the windows shell doesn't see .ppf as an executable file, even though the code inside of it may surely be executable.  It's this same little "spoof" that can allow users to create so many types of executable files with varied extensions that will still harm the user's computer.

[Guest prozente]

You don't know what you speak of. File extensions won't be executed by windows unless specified in the registry.

[Glyde]

"I don't know what I speak of"...I find your ignorance quite hillarious.  You see, while you are correct in saying that windows will only run executable files if the extension is defined in the registry, you are far incorrect by saying that only .exe files can contain executable code which may harm a computer.  .doc, .xls, .ocx, .wmz, .xlm, .vbs, .bat, .pif, .reg, etc, may all harm a users computer.  Additionally, the point is not just about protecting users security or thinking that they download the virus.  I could simply use the server as a hosting site for all of my .exe files by just changing the extension to .ppf, whether or not I had an intention to use the maliciously or not.  Anyways, .exe is not the only file that can do damage, and believe it or not, quite a few people don't know what a .pif, .bat, or .reg file does...and may open it.  Same with .ocx, .wmz, .doc, .xls, etc.

 

Anyways, we're far off topic.  Feel free to just check for a certain extension, but you can pretty much just call your server a file host at that point.  I would suggest looking for some type of header in the file.  Some text that is consistent across all .ppf files.  For example, MP3 files have an ID3 tag header.  Just something that can identify it.  Even if it's not "foolproof" it'll be enough to make uploading more of a hassle than it's worth.

[Guest prozente]

You are going far off track, first I didn't say exe was the only executable file. Don't put words in my mouth. Don't call me ignorant. You claimed that renaming an exe to ppf would still leave the file as harmful. You are wrong in this sense. As was the topic MIME can't be trusted when looking at the MIME of a file that has been uploaded, as the MIME is set by th browser. Which is client side. Anything client side is to not be trusted. I'm not going on with this ridiculous pissing contest as you've taken this way offtopic.

[Glyde]

You are going far off track...I'm not going on with this ridiculous pissing contest as you've taken this way offtopic.

LOL.  Anyways.  My final comments to you are that: extension changing is also client side, so why is it trusted?  And also, saying that a renamed .exe is no longer harmless is like saying a serial killer sleeping isn't harmless.  It's still harmless, just not in its current state.

 

Now, I really don't feel like continuing this argument any longer.  If you wish to continue, please PM me.  We have spammed this guy's topic enough without providing any help whatsoever.  Once again a simple statement or notice of insecurity led to a big blowout.  Wow.

[HaLo2FrEeEk]

...

...

 

Well, thank you to everyone who tried to help, the security of my server and my users is very important to me.  I am not uploading images, I am uploading patches for mods for Halo 2, in ppf and sppf format, I'm not sure if there is a header in the file or not, I will look.

 

And please don't argue anymore, thanks.