D-talk

Since I'm on a 'finish blog drafts' spree, I might as well publish this one also. I actually had it in draft for about 5 months now anyway.

In most upload tools files are checked on extensions only, while it might seem pretty solid it's actually not as safe as you might think. Especially in combination with Apache and mod_mime.

When you do:
rename image.jpg image.txt and you request it: domain.com/image.txt you get garbled text.

However when you try something like this:
rename file.php file.php.bogus and you request it: domain.com/file.php.bogus PHP code within the file is handled by the handler set for that extension.

Before you get all excited, the scenario when this happens is not likely to happen, because it only works for unknown file extensions. So basically, this can only happen when you work with black-listing rather then white-listing. And when checking files, you shouldn't be black-listing in the first place. Let's go into detail about the why.