xampp - Apache: Prevent PDF-File with non-pdf-extension from opening -


i'm quite new setting server, have xamp / apache 2 related question:

when rename extension of pdf-file .txt browsers open pdf plain text (which understand , good).

but:

when rename pdf-extension .jpggggg, still opens pdf!

why??

because i'm afraid uploads valid pdf hidden exe in , tricks me doubleclciking (which installs virus/backdoor/anything else on server or ruis it) .

so how can in manage filter such "pdfs .exe/.app in it" out?

infos you:

--> apache version 2.4 --> default mime-type set plain text!

--> deactivated mime_magic module loading (by starting line # (#loadmodule mime_magic_module modules/mod_mime_magic.so))

--> , deactivated other line mimemagic in (# mimemagicfile "conf/magic").

(i unfortunately had no other idea deactivationg mimemagic-module!)

what else can do!

so questions are:

1. why browsers (chrome, ie 8, firefox) handle file pdf although extion set ".jpggggg" , how can prevent behavior.

2. how can use php filter out valid pdf has exe in it

thanks in advance help!

tine

ok, considering emphasis reaction comment ask how can achieve sketched in question here more information. best of knowledge, though other opinions exist:

to prevent client system "open" downloaded file at moment of download can (and should anyway) implement own handler download. meaning: request file not handled directly http server directly delivering file found in file system. instead request handled script. script can number of things: check existence of file, permissions download, type of file (real or faked) and, important, can send client whatever information desire. in case http content type header claiming follow plain text file. browser (not client system) accept , deal accordingly. can force browser save payload file instead of attempting open right away.

however not solve problem address @ all. jumps short. because in end file on client system, , system acts according own logic when handing locally stored file. if file example pdf , asked open it, (except ms-windows, depends on how give command open it). cannot prevent that, since client side logic have no control about. except maybe crippling file makes whole point of downloading , handling file @ obsolete.

so approach suggests wrong feeling of "security" not offer. @ way: point there in trying prevent opening of such pdf file (holding executable inside)? way keep scenario safe not have file @ all. because point of having file disguised superficially else? has not value way.

instead should think real solutions issue:

  • not accepting pdfs carrying such embedded code in first place

  • use of pdf interpreters (viewing programs) not stupid run untrusted code (i know, world claims 1 need adobe/acrobat reader open pdf a) total nonsense , b) 1 of worst choices pdf interpreter)

  • use operating system on cient side more secure ms-windows. "exe" style executable files somethjing limited ms-windows world. no other operating system can make use of them (not directly anyway). embedding such things in wrapper format pdf never makes sens in respectable business anyway. limited , short sighted. know, majority of people does use ms-windows, in fields of business. cannot make choice of insecure environment magically more secure.

to round things up: try introduce security step not offer real security lures kind of safe feeling on superficial level. don't that, contra productive. either solve issue blocking such content or rely on people know want , know doing. don't try outsmart everyone. can't.

just 2 cents...


Comments

Post a Comment

Popular posts from this blog

apache - Remove .php and add trailing slash in url using htaccess not loading css -

i have add following code htaccess file removing .php extension , add trailing slash urls. worked fine reduced page loading speed , css code not loading @ all. pages ugly. please help rewriteengine on rewritebase / ## hide .php extension snippet # externally redirect /dir/foo.php /dir/foo rewritecond %{the_request} ^[a-z]{3,}\s([^.]+)\.php [nc] rewriterule ^ %1/ [r,l] # add trailing slash rewritecond %{request_filename} !-f rewritecond %{request_uri} !/$ rewriterule . %{request_uri}/ [l,r=301] # internally forward /dir/foo /dir/foo.php rewritecond %{request_filename} !-d rewritecond %{request_filename}.php -f rewriterule ^(.*?)/?$ $1.php [l] we can rewrite urls using .htaccess files. before writing in .htaccess files need verify kind of server using. can check server adding a <?php phpinfo(); ?> in php page. ensure mod_rewrite module enabled in apache server. can identified checking phpinfo included page. common methods used url rewriting follows ...
Read more

javascript - jQuery show full size image on click -

pretty self explanatory not workking . i want display full image when user click on image... yes know there tons of plugins but i want keep simple. any idea ? css : .full { display: none; width: 500px; height: 500px; margin-left: 100px; margin-top: -300px; position: fixed; background-color: #f00; z-index: 6; } .thumbnail { width: 50px; height: 50px; } html: <img class="thumbnail" src="http://4.bp.blogspot.com/-uhbdp2esxng/txneptvi92i/aaaaaaaaaky/upfqis7zto0/s1600/rihanna-wallpaper.jpg"> jquery: $(document).ready(function() { $('.thumbnail').on('click', function() { var img = $('<img />',{src:this.src,'class':'full'}); $('.full').html(img).show(); console.log('done!'); }); }); try looking how jquery works. $(document).ready(function() { $('.thumbnail').on('click', function(...
Read more