Reply to post: .fail

Softbank's 'Pepper' robot is a security joke

g00se
Linux

.fail

the application performs no control over the file extension. As a matter of fact, we were able to upload images, text files which extensions have been modified to images, and even plain text files without performing extension editing

Actually Unixes don't use the lame and naive system of determining a file's type by looking at its extension. They use magic numbers - a binary analysis of the file. And that's what should be employed in input sanitization if indeed that's required in what i'm surmising is an image viewer. e.g. if you pass a non-image file to feh, it will tell you there's no "loader for that file format"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019