A few things to keep in mind are: * Don't just validate against the MIME type submitted by the client, verify the MIME type by inspecting the uploaded file directly. * Image transformations help to prevent some exploits (i.e. by stripping comment metadata). * Uploaded files shouldn't be directly accessible either only serve i.e. transformed images (see above) or obscure by using UUIDs.
- David On 1 Sep., 07:21, the_woodsman <elwood.ca...@gmail.com> wrote: > RE The media view - I try and avoid this unless it's a real security > requirement, as it means every request for a simple image requires > CakePHP to handle it, vastly increasing the load on yoru servers, and > the latency for that file. > > An alternative is to save each file based on a UUID, or similar - this > means you can serve the image files directly, but it's basically > impossible to guess another user's image UUIDs, meaning it's still > very secure. > > (That's my understanding - I'd be interested if anyone disagrees?) > > On Aug 31, 7:55 pm, Miles J <mileswjohn...@gmail.com> wrote: > > > Regarding the mimetype, it allows all mimetypes listed in the config > > folder. If you want to restrict the type, use the file validation > > behavior. > > > For the second part of your question. You would do a normal controller > > action setup like /files/download/1 and then use the media view and > > your own logic to determine the file. > > >http://book.cakephp.org/view/489/Media-Views > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---