How to prevent every malicious file upload on my server? (check file type)?

Question

my proble is to avoid that users upload some malicious file on my web-server. Im working on linux environment (debian).

Actually the uploads are handled via php by t

Answer 1

There is a way, in php, python, or whatelse can a unix system run easly, to check the truly type of a file?

No.

You can create a file called, say, “something.pdf” that is a perfectly valid PDF document but still contains signature strings like “”. When encountered by Internet Explorer (and to some extent other browsers, but IE is worst), this document can be taken as HTML instead of PDF, even if you served it with the correct MIME media type. Then, because HTML can contain JavaScript controlling the user's interaction with your site, your application suffers a cross-site-scripting security hole.

Content-sniffing is a security disaster. See this post for some general workarounds: Stop people uploading malicious PHP files via forms