php-general Digest 18 Jun 2008 20:35:30 -0000 Issue 5521
Topics (messages 275510 through 275537):
Re: substr?
275510 by: Frank Arensmeier
275515 by: Peter Ford
275523 by: Jim Lucas
phpinfo shows wrong value of post_max_size
275511 by: Yi Wang
275513 by: Pavel
Re: Search like php.net's URL thingy
275512 by: Philip Olson
275529 by: Nate Tallman
275536 by: Jon Drukman
Re: CAD file decoding
275514 by: Iv Ray
275537 by: Lester Caine
climb up the path
275516 by: Iv Ray
275517 by: James Dempster
275518 by: Iv Ray
275519 by: Stut
275524 by: Jim Lucas
275530 by: Iv Ray
275531 by: Iv Ray
275534 by: Jim Lucas
275535 by: Richard Heyes
Re: conversion of unicode characters into utf-8
275520 by: tedd
Re: How to prevent DoS on PHP script?
275521 by: Philip Thompson
275525 by: Michelle Konzack
275526 by: Michelle Konzack
275532 by: Jim Lucas
275533 by: Daniel Brown
Online Job Available
275522 by: Brock Diegel
Re: Boa Webserver and PHP5
275527 by: Michelle Konzack
Re: Strategy to protect images
275528 by: Michelle Konzack
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
17 jun 2008 kl. 22.14 skrev Jim Lucas:
Jason Pruim wrote:
Hi everyone,
I am attempting to adopt some code to work more reliably then how
it is now...
What I am doing is coding a upload form where people could be
uploading .zip files in excess of 200 MB... Yes I know that is
large, but it's for a print shop and they get HUGE files to print
from.
The code I'm having issues with is this:
$filename = $_FILES['userfile']['name']; // Get the name of
the file (including file extension).
$ext = substr($filename, strpos($filename,'.'), strlen
($filename)-1); // Get the extension from the filename.
All I want to do is grab the file extension and verify that it is
a .zip or a .pdf etc. file. This is working for small files (under
a few megs) but for some reason it fails when I get bigger. I have
increased the allowed memory size to 50 MB's I'm testing with a 44
MB file right now.
When it fails, it says the file type is not allowed even though it
is listed in the file type array.
Hopefully I have given you enough to go on to at least ask me some
questions :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
[EMAIL PROTECTED]
Looking at what I think you are trying to do, how about this?
<?php
if ( isset( $_FILES ) ) {
foreach ( $_FILES AS $file )
$filename = $file['name'];
list($ext) = array_reverse(explode('.', $filename));
$allowed_ext = array('zip', 'pdf');
if ( in_array($ext, $allowed_ext) ) {
// Correct extension; do what ever
} else {
// Incorrect extension; do nothing
}
}
}
?>
I am somewhat surprised that all code suggestions are rather
complicated in my opinion. What is wrong with 'pathinfo'?
if ( !isset( $_FILES['userfile']['name'] ) ) {
echo "No file has been uploaded";
} else {
$allowed_extensions = array( "zip", "pdf", "ai", "html" );
$file_info = pathinfo( $_FILES['userfile']['name'] );
if ( in_array( strtolower( $file_info['extension'] ),
$allowed_extensions ) ) {
echo "File has a valid extension";
} else {
// do something else
}
}
// frank
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Frank Arensmeier wrote:
17 jun 2008 kl. 22.14 skrev Jim Lucas:
Jason Pruim wrote:
Hi everyone,
I am attempting to adopt some code to work more reliably then how it
is now...
What I am doing is coding a upload form where people could be
uploading .zip files in excess of 200 MB... Yes I know that is large,
but it's for a print shop and they get HUGE files to print from.
The code I'm having issues with is this:
$filename = $_FILES['userfile']['name']; // Get the name of the
file (including file extension).
$ext = substr($filename, strpos($filename,'.'),
strlen($filename)-1); // Get the extension from the filename.
All I want to do is grab the file extension and verify that it is a
.zip or a .pdf etc. file. This is working for small files (under a
few megs) but for some reason it fails when I get bigger. I have
increased the allowed memory size to 50 MB's I'm testing with a 44 MB
file right now.
When it fails, it says the file type is not allowed even though it is
listed in the file type array.
Hopefully I have given you enough to go on to at least ask me some
questions :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
[EMAIL PROTECTED]
Looking at what I think you are trying to do, how about this?
<?php
if ( isset( $_FILES ) ) {
foreach ( $_FILES AS $file )
$filename = $file['name'];
list($ext) = array_reverse(explode('.', $filename));
$allowed_ext = array('zip', 'pdf');
if ( in_array($ext, $allowed_ext) ) {
// Correct extension; do what ever
} else {
// Incorrect extension; do nothing
}
}
}
?>
I am somewhat surprised that all code suggestions are rather complicated
in my opinion. What is wrong with 'pathinfo'?
if ( !isset( $_FILES['userfile']['name'] ) ) {
echo "No file has been uploaded";
} else {
$allowed_extensions = array( "zip", "pdf", "ai", "html" );
$file_info = pathinfo( $_FILES['userfile']['name'] );
if ( in_array( strtolower( $file_info['extension'] ),
$allowed_extensions ) ) {
echo "File has a valid extension";
} else {
// do something else
}
}
// frank
Two points here:
Firstyl, as someone has already indicated, the file will be uploaded before the
PHP script runs, so the end user will have to wait for his junk to get through
the internet before (s)he is told it is junk. Is that what you want?
Secondly, using the file extension to determine file type is a very poor idea
and open to abuse. If you have the file (which you do, 'cos it's been uploaded
before your script runs) then you should do a bit more checking before accepting
it. The Unix/Linux "file" command can help here. Not perfect, but still...
You could also Virus-scan the file before accepting it. All depends on whether
your customer is prepared to wait while you clear his upload.
Cheers
Pete
--
Peter Ford phone: 01580 893333
Developer fax: 01580 893399
Justcroft International Ltd., Staplehurst, Kent
--- End Message ---
--- Begin Message ---
Peter Ford wrote:
Frank Arensmeier wrote:
17 jun 2008 kl. 22.14 skrev Jim Lucas:
Jason Pruim wrote:
Hi everyone,
I am attempting to adopt some code to work more reliably then how it
is now...
What I am doing is coding a upload form where people could be
uploading .zip files in excess of 200 MB... Yes I know that is
large, but it's for a print shop and they get HUGE files to print from.
The code I'm having issues with is this:
$filename = $_FILES['userfile']['name']; // Get the name of the
file (including file extension).
$ext = substr($filename, strpos($filename,'.'),
strlen($filename)-1); // Get the extension from the filename.
All I want to do is grab the file extension and verify that it is a
.zip or a .pdf etc. file. This is working for small files (under a
few megs) but for some reason it fails when I get bigger. I have
increased the allowed memory size to 50 MB's I'm testing with a 44
MB file right now.
When it fails, it says the file type is not allowed even though it
is listed in the file type array.
Hopefully I have given you enough to go on to at least ask me some
questions :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
[EMAIL PROTECTED]
Looking at what I think you are trying to do, how about this?
<?php
if ( isset( $_FILES ) ) {
foreach ( $_FILES AS $file )
$filename = $file['name'];
list($ext) = array_reverse(explode('.', $filename));
$allowed_ext = array('zip', 'pdf');
if ( in_array($ext, $allowed_ext) ) {
// Correct extension; do what ever
} else {
// Incorrect extension; do nothing
}
}
}
?>
I am somewhat surprised that all code suggestions are rather
complicated in my opinion. What is wrong with 'pathinfo'?
if ( !isset( $_FILES['userfile']['name'] ) ) {
echo "No file has been uploaded";
} else {
$allowed_extensions = array( "zip", "pdf", "ai", "html" );
$file_info = pathinfo( $_FILES['userfile']['name'] );
if ( in_array( strtolower( $file_info['extension'] ),
$allowed_extensions ) ) {
echo "File has a valid extension";
} else {
// do something else
}
}
// frank
Two points here:
Firstyl, as someone has already indicated, the file will be uploaded
before the PHP script runs, so the end user will have to wait for his
junk to get through the internet before (s)he is told it is junk. Is
that what you want?
Secondly, using the file extension to determine file type is a very poor
idea and open to abuse. If you have the file (which you do, 'cos it's
been uploaded before your script runs) then you should do a bit more
checking before accepting it. The Unix/Linux "file" command can help
here. Not perfect, but still...
You could also Virus-scan the file before accepting it. All depends on
whether your customer is prepared to wait while you clear his upload.
Cheers
Pete
I think that you have the wrong person here. That was a different thread/person
talking about preventing DoS'ing attacks. Not Jason.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
Hi,
These day I'm working around large file uploading. php runs on the
windows server 2003.
I changed the post_max_size value in the registry. Then phpinfo
reports the value changed from 8M to 200M (local value. Master value
stayed still 8M.).
I think phpinfo should report that value as 8M, not 200M. So does ini_get.
--
Regards,
Wang Yi
--- End Message ---
--- Begin Message ---
В сообщении от Wednesday 18 June 2008 14:25:35 Yi Wang написал(а):
> Hi,
>
> These day I'm working around large file uploading. php runs on the
> windows server 2003.
>
> I changed the post_max_size value in the registry. Then phpinfo
> reports the value changed from 8M to 200M (local value. Master value
> stayed still 8M.).
>
> I think phpinfo should report that value as 8M, not 200M. So does ini_get.
>
>
> --
> Regards,
> Wang Yi
restart your IIS server :)
--
===============
С уважением, Манылов Павел aka [R-k]
icq: 949-388-0
mailto:[EMAIL PROTECTED]
===============
А ещё говорят так:
В результате упорных тренировок гимнаст Петров стал в совершенстве владеть
своим
телом. И теперь другие тела ему до лампочки.
[fortune]
--- End Message ---
--- Begin Message ---
> Why is an ErrorDocument "insufficient" or "not the elegant way"?
>> It accomplishes the goal in a clean way, no?
>>
>
> It's *WRONG*. ErrorDocument still preserves the 404 error code, it just
> gives it a prettier face. If the page really is there, returning a 404 for
> it is not correct. Search engines will not index it. You probably don't
> want that.
You may set it... so for example:
header('HTTP/1.1 200 OK');
Regards,
Philip
--- End Message ---
--- Begin Message ---
On Tue, Jun 17, 2008 at 3:22 PM, Jon Drukman <[EMAIL PROTECTED]> wrote:
> Nate Tallman wrote:
>
>> Why is an ErrorDocument "insufficient" or "not the elegant way"?
>> It accomplishes the goal in a clean way, no?
>>
>
> It's *WRONG*. ErrorDocument still preserves the 404 error code, it just
> gives it a prettier face. If the page really is there, returning a 404 for
> it is not correct. Search engines will not index it. You probably don't
> want that.
>
>
Not to beat a dead horse, but why would you *not* want to preserve the 404?
If it's a bad url anyways, you probably *want* to return a 404 (albeit
prettier) and you probably *don't* want search engines indexing it.
--- End Message ---
--- Begin Message ---
On Wed, Jun 18, 2008 at 9:19 AM, Nate Tallman
<[EMAIL PROTECTED]> wrote:
> Not to beat a dead horse, but why would you *not* want to preserve the 404?
> If it's a bad url anyways, you probably *want* to return a 404 (albeit
> prettier) and you probably *don't* want search engines indexing it.
the original question was not how to serve fancy 404's, it was how to
serve urls like http://php.net/strtolower
you definitely want those indexed.
--- End Message ---
--- Begin Message ---
Lester Caine wrote:
> Has anybody seen any software that could be used with PHP to extract the
> preview pictures from CAD files such as DXF and the like. I'm looking to
> keep thumbnails of the drawings in much the same was as we generate
> thumbnails of images. So I can display a list of previews before
> downloading the whole file.
It seems DXF files can be accessed with JavaScript.
This sounds a bit peculiar to me, how big are these files?
Iv
--- End Message ---
--- Begin Message ---
Iv Ray wrote:
Lester Caine wrote:
> Has anybody seen any software that could be used with PHP to extract the
> preview pictures from CAD files such as DXF and the like. I'm looking to
> keep thumbnails of the drawings in much the same was as we generate
> thumbnails of images. So I can display a list of previews before
> downloading the whole file.
It seems DXF files can be accessed with JavaScript.
This sounds a bit peculiar to me, how big are these files?
Can be very big
http://medw.co.uk/fisheye/view.php?gallery_id=36 will give you the idea.
I'm dumping the images to jpg from Turbocad, so I have separate thumbnails to
drawing files, but ideally if people are uploading drawing fiels we will need
to automatically produce thumbnails for them. server end rather than client
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/lsces/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php
--- End Message ---
--- Begin Message ---
hi all,
i need a way to get the path to the parent folder of the folder i am in.
one "dirty" way i found is this -
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR .
".." . DIRECTORY_SEPARATOR .
"config.php");
i can also explode() and reassemble all folders except the last, but
this looks also dirty...
is there a direct way?
iv
--- End Message ---
--- Begin Message ---
Personally I use.
<?php require_once(dirname(dirname(__FILE__)).'/config.php');
I think it's what most people do.
/James Dempster
On Wed, Jun 18, 2008 at 1:31 PM, Iv Ray <[EMAIL PROTECTED]> wrote:
> hi all,
>
> i need a way to get the path to the parent folder of the folder i am in.
> one "dirty" way i found is this -
>
> require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR .
> ".." . DIRECTORY_SEPARATOR .
> "config.php");
>
> i can also explode() and reassemble all folders except the last, but this
> looks also dirty...
>
> is there a direct way?
>
> iv
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
James Dempster wrote:
> Personally I use.
>
> <?php require_once(dirname(dirname(__FILE__)).'/config.php');
>
> I think it's what most people do.
A... very interesting, thanks.
To get the path only I did this -
$path = dirname(__FILE__);
$parts = explode(DIRECTORY_SEPARATOR, $path);
array_pop($parts);
$INSTALL_PATH = implode(DIRECTORY_SEPARATOR, $parts);
It's kind of long...
If somebody has a better idea, I would be glad to hear.
Iv
--- End Message ---
--- Begin Message ---
On 18 Jun 2008, at 13:57, Iv Ray wrote:
James Dempster wrote:
> Personally I use.
>
> <?php require_once(dirname(dirname(__FILE__)).'/config.php');
>
> I think it's what most people do.
A... very interesting, thanks.
To get the path only I did this -
$path = dirname(__FILE__);
$parts = explode(DIRECTORY_SEPARATOR, $path);
array_pop($parts);
$INSTALL_PATH = implode(DIRECTORY_SEPARATOR, $parts);
It's kind of long...
If somebody has a better idea, I would be glad to hear.
$path = dirname(dirname(__FILE__));
That will get you the parent directory.
-Stut
--
http://stut.net/
--- End Message ---
--- Begin Message ---
Stut wrote:
On 18 Jun 2008, at 13:57, Iv Ray wrote:
James Dempster wrote:
> Personally I use.
>
> <?php require_once(dirname(dirname(__FILE__)).'/config.php');
>
> I think it's what most people do.
A... very interesting, thanks.
To get the path only I did this -
$path = dirname(__FILE__);
$parts = explode(DIRECTORY_SEPARATOR, $path);
array_pop($parts);
$INSTALL_PATH = implode(DIRECTORY_SEPARATOR, $parts);
It's kind of long...
If somebody has a better idea, I would be glad to hear.
$path = dirname(dirname(__FILE__));
That will get you the parent directory.
-Stut
Iv,
tell me why you are wanting to do this?
If it is the reason I think it is, I can give you a better way to accomplish
this.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
Stut wrote:
$path = dirname(dirname(__FILE__));
That will get you the parent directory.
-Stut
A,... right! - me and my limited thinking... - dirname() gives the
parent of a file AND of a directory, right.
Thanks,
Iv
--- End Message ---
--- Begin Message ---
Jim Lucas wrote:
Iv,
tell me why you are wanting to do this?
If it is the reason I think it is, I can give you a better way to
accomplish this.
I have the source and a configuration file, which I want outside the
source - it is different from server to server.
The easiest is to have the configuration file one folder up.
In the same time I want the source to work wherever it is placed.
So the source sees where it is, and climbs one directory up to read the
configuration specific for this installation.
I do not want to use "ignore" in the repository, in order to prevent the
configuration file from being overwritten.
Iv
--- End Message ---
--- Begin Message ---
Iv Ray wrote:
Jim Lucas wrote:
Iv,
tell me why you are wanting to do this?
If it is the reason I think it is, I can give you a better way to
accomplish this.
I have the source and a configuration file, which I want outside the
source - it is different from server to server.
The easiest is to have the configuration file one folder up.
In the same time I want the source to work wherever it is placed.
So the source sees where it is, and climbs one directory up to read the
configuration specific for this installation.
I do not want to use "ignore" in the repository, in order to prevent the
configuration file from being overwritten.
Iv
So, saying that it is outside the source does not tell me if it is outside the
document root.
So, I guess my option might still work in this case.
Use your include_path php_ini setting
if you have a main file that you include, like I have one that is called
handy.php that is included at the top of every script.
In this main file, you could modify your include_path
#main_included_file.php
<?php
#if you are trying to go to the parent folder, then just ../
#but if you want to go to the parent/parent folder use ../../
ini_set('include_path', '../../;../;'.ini_get('include_path'));
#the rest of your stuff goes here.
?>
Then...
#yourscript.php
<?php
include_once 'main_include_file.php';
include 'config.php';
...
?>
This should work for any host.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
i need a way to get the path to the parent folder of the folder i am in.
one "dirty" way i found is this -
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR .
".." . DIRECTORY_SEPARATOR .
"config.php");
i can also explode() and reassemble all folders except the last, but
this looks also dirty...
is there a direct way?
There's nothing dirty about dirname(), and for your issue, just call it
twice:
dirname(dirname(__FILE__));
--
Richard Heyes
Employ me:
http://www.phpguru.org/cv
+----------------------------------------+
| Access SSH with a Windows mapped drive |
| http://www.phpguru.org/sftpdrive |
+----------------------------------------+
--- End Message ---
--- Begin Message ---
At 10:26 PM -0700 6/16/08, valsaraj wrote:
Hi,
I am using code
$val = htmlentities($val, ENT_QUOTES, "UTF-8");
but it's not working in version 5.2.0. Is there any additional configuration
needed for this. it's working well in 5.2.2. Could you please help me???
--
Here's a good article on the subject, with code!
http://randomchaos.com/documents/?source=php_and_unicode
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On Jun 17, 2008, at 9:22 AM, Michelle Konzack wrote:
Am 2008-06-16 12:02:27, schrieb Per Jessen:
Check client IP-addresses?
And then? I am DoS'ed from several 1000 IPs and since legitim
uploaders
are mostly on dynamic IPs I can not block by IP.
OK, last Saturday I have installed a COOKIE which worked for the
weekend
but today morning the DoS'er have solved this problem too.
This mean, there are one or more crackers targeting my system
directly.
OK, even if I use heavyly PHP, my system was never hacked since
it is
up (Juni 2000) but now I am ongoing to be militant if I catch
one of
those pigs...
They're attacking you b/c they've read your previous posts to this
list about blocking javascript, so they're just testing you. If I were
you, I'd consider it to be a privilege that you're getting DoS'd. =P
/\/\y t00 s1nce,
~Phil
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant
#####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
"Personally, most of my web applications do not have to factor 13.7
billion years of space drift in to the calculations, so PHP's rand
function has been great for me..." ~S. Johnson
--- End Message ---
--- Begin Message ---
Hello Nitsan and Andrew,
Am 2008-06-16 13:20:14, schrieb Andrew Ballard:
> On Mon, Jun 16, 2008 at 1:01 PM, Nitsan Bin-Nun <[EMAIL PROTECTED]> wrote:
> > I think you can handle this with 2 pages, the first is checking whether the
> > user is permitted to upload or not and if so passing him to the upload form
> > with a simple (bool) $_SESSION variable which indicates his permissions.
> > If you will try to access the second page and the $_SESS variable won't
> > exist it will throw you back to page 1 to validate your permissions.
> >
> > Am I missing something? (its pretty simple..)
> >
> > HTH
>
> Yes, it's missing something. There is nothing in this approach to
> prevent the remote client from attempting to access the second page
> directly. Even if they do not have the valid $_SESSION variable set,
> the server will still receive the entire uploaded content before
> passing control to the PHP script to validate permissions. In a DoS
> attack, the attacker doesn't care whether the request is actually
> allowed; only that resources were consumed in handling the request.
> It's still the "chicken and egg" problem already described in this
> thread.
OK I was thinking about it but IF a $UPLOADER go to
http://domain/index.php
and then click the link
http://domain/mirror_admin.php
which set a cookie and then the $UPLOADER must click a link where he/she
get the page
http://domain/mirror_upload.php
before the page is displayed, PHP could check the cookie right?
If the cookie is valid, it show the Form, if not the potential Uploader
get a long nose.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
--- End Message ---
--- Begin Message ---
Am 2008-06-16 19:24:25, schrieb Wolf:
> There's a number of things you can try, depending on what EXACTLY they
> are doing.
>
> If they are uploading things to your server which they then reference,
> it is a simple apache configuration that you could do. For instance,
> you can upload fine to my server, but once it is there, the system knows
> nothing about it. You can see the file all day long, but nothing is
> going to allow it to get served back to you.
Since the script allow only files like
<PACKAGE_NAME>_X.Y.Z.orig.tar.gz
plus
<PACKAGE_NAME>_X.Y.Z-N.diff.gz
<PACKAGE_NAME>_X.Y.Z-N.desc
<PACKAGE_NAME>_X.Y.Z-N.changes
and then many
<PACKAGE_NAME>_X.Y.Z-N_<ARCH>.deb
So, you can see, it is an upload script for a private Debian mirror. So
the thing with the fileupload is AFTER the upload solved, since ANY non
Debian Source/Binary Packages are droped AFTER download. But as someone
has already mentioned, PHP can only check this AFTER the upload where
the DoS already happened..
> If they are continuing to load the page, implement a simple login and
> page check for that specific page. Sure, apache loads the page, but
For now, I will go the way over two/three pages like
index.php -> mirror_admin.php -> mirror_upload.php
set a check the
session cookie session cookie
OK, on my server those three scripts are the same since I have ONLY a
"index.php" on my server and the rest is done by PHP but this should be
no problem.
> that's done PDQ instead of letting them upload a file first. If the
> login works, great, give them the upload form, otherwise error them out.
> You could snag the IP address, browser type, other information and
> store it all in a DB, then do a quick check to see if the IP matches,
> followed by a browser and whatnot. It's overkill, but you should also
> see HOW they are doing it as well, and you could implement the block to
> work on a number of factors.
>
> If they are uploading to just stall you out, talk to the ISP and let
> them know you are getting DDOS and get their network admins involved.
Currently I have gotten arround 3000 uploads in the last 3 weeks and my
ISP allow me only 100 GByte traffic which mean, if the Uploads increase
I will run into troubles.
> You could change the filename, but maybe that's too simple a suggestion?
> If it is for your personal use, rename the upload page to
> Michelles_dumb_upload_script.php or even have a cron job that randomly
> changes the name of the file and emails you the new name when it is done.
Using a simple md5sum name which is generated by "foo${date}bar" would
do it nicely... and screw up crackers and script kiddies...
> OH, and check your email sending server for dates and such. According
> to the headers, you sent the email this morning. But according to the
> dates on the sent email, you sent it on the 13th at 4:21 PM which is
> about 2 days and 15 hours and 32 minutes before you actually did.
Where I live, I have NO phone line and NO internet connection so I am
forced to write Off-Line and then in the afternooon/evening I go into
the Internet Cafee and send my stuff...
Note: I have problems, geting my "Nokia 6120 classic" and my
"Merlin U630" runing, which would solv my E-Mail problem.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
--- End Message ---
--- Begin Message ---
Michelle Konzack wrote:
Hello Nitsan and Andrew,
Am 2008-06-16 13:20:14, schrieb Andrew Ballard:
On Mon, Jun 16, 2008 at 1:01 PM, Nitsan Bin-Nun <[EMAIL PROTECTED]> wrote:
I think you can handle this with 2 pages, the first is checking whether the
user is permitted to upload or not and if so passing him to the upload form
with a simple (bool) $_SESSION variable which indicates his permissions.
If you will try to access the second page and the $_SESS variable won't
exist it will throw you back to page 1 to validate your permissions.
Am I missing something? (its pretty simple..)
HTH
Yes, it's missing something. There is nothing in this approach to
prevent the remote client from attempting to access the second page
directly. Even if they do not have the valid $_SESSION variable set,
the server will still receive the entire uploaded content before
passing control to the PHP script to validate permissions. In a DoS
attack, the attacker doesn't care whether the request is actually
allowed; only that resources were consumed in handling the request.
It's still the "chicken and egg" problem already described in this
thread.
OK I was thinking about it but IF a $UPLOADER go to
http://domain/index.php
and then click the link
http://domain/mirror_admin.php
which set a cookie and then the $UPLOADER must click a link where he/she
get the page
http://domain/mirror_upload.php
before the page is displayed, PHP could check the cookie right?
If the cookie is valid, it show the Form, if not the potential Uploader
get a long nose.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
That is fine, but I can upload a file to any php script.
I don't need to use your form to do so, I an just use my own form and post data
directly to the script.
If anybody remembers, this was an exploit that was found in the 4.0.6 code back
in the day.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
On Wed, Jun 18, 2008 at 1:00 PM, Jim Lucas <[EMAIL PROTECTED]> wrote:
>
> That is fine, but I can upload a file to any php script.
>
> I don't need to use your form to do so, I an just use my own form and post
> data directly to the script.
>
> If anybody remembers, this was an exploit that was found in the 4.0.6 code
> back in the day.
That's correct. Theoretically, you can place a form anywhere in
the world, and upload a file to any server in the world. This is,
unfortunately, a potentially serious issue.
Consider the following:
I'm in competition with Company A, and I decide to perform a DoS
attack on them. I could distribute the attack, PING flood or teardrop
the server, et cetera.... but instead, I decide to try something more
sinister.
I concoct a very, very simple HTML form like so:
<form method="post" enctype="multipart/form-data"
action="http://www.example.com/";>
File: <input type="file" name="huge_file">
<input type="submit" value="Crash!">
</form>
I select the largest file I can find (or generate one myself -
including a VFS block file of several gigabytes), and upload it to
Company A's server via my form. I can even use cURL or POST from the
command line of several servers to expedite the process. Any similar
method will work, and the end result would be the same: exceeding disk
space on the server, causing file corruption, unavailability, missed
database transactions, corrupted backups, undeliverable mail, and even
catastrophic data loss.
On a LAMP system, Apache should automatically remove the file from
the /tmp (or wherever it's configured to write) directory as soon as
the upload completes and the child process dies. However, with a
large file - or several simultaneous large files - you can easily fill
the disk space of a poorly-configured, poorly-secured server.
Not to mention the bandwidth-bogging and RAM-hogging you can do.
Plus, keep in mind that this is completely independent of PHP, so
your timeouts and max_file_upload/max_post_size flags won't save you
here. It's a flaw in HTTP servers themselves.
.... but fear not, young warrior: you are not alone. Almost every
server out there - including those run by people on their desktop PC's
out of their homes - is vulnerable.
Even Microsoft's website. ;-P
--
</Daniel P. Brown>
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.
--- End Message ---
--- Begin Message ---
Hi,
Our online market research organization starts recruiting self-motivated and
reliable individuals willing to take part in well-paying research conducted
by leading international businesses. Your opinion as a consumer is important
for the success and profitability of many business ventures. That is why
they are ready to pay for what you think.
Our members are paid for participating in online surveys, focus group
discussions, and product/service evaluations. What's best, all you need to
work with us is a computer, an Internet connection, and will to voice your
honest opinion.
We'd like to hear from you soon if you want to become one of our highly
valued survey takers.
Please excuse us if this email is unwanted for you and we have disturbed you in
some way, but this is a serious and sincere enquiry.
Please reply to [EMAIL PROTECTED]
Best regards,
Stephanie Cunningham
--- End Message ---
--- Begin Message ---
Am 2008-06-16 10:05:00, schrieb Daniel Brown:
> On Sat, Jun 14, 2008 at 11:12 AM, Michelle Konzack
> <[EMAIL PROTECTED]> wrote:
> > ************************************************************************
> > * Do not Cc: me, because I READ THIS LIST, if I write here *
> > * Keine Cc: am mich, ich LESE DIESE LISTE wenn ich hier schreibe *
> > ************************************************************************
>
> Keep in mind two things:
>
> 1.) Reply-all automatically includes you, where a simple Reply
> does not include the list.
> 2.) Not every person to write to the list is a subscriber, so
> Reply-all is the best option.
>
> If you're getting overloaded, check your email client settings and
> filters.
The problem is NOT there, but peoples like to put me into the Bcc: and
those messages show up in my mailfolders long time before the List-
Message comes back since it is faster.
Now getting such messages mean to me I get a PM and reply with PM, but
this message was qribinaly indeed to go to the list, which mean I have
to write the message twice or lost contents.
And of course, HOW can a NON-SUBSCRIBER post to THIS list?
for 5 weeks I have changed my E-Mail from my ancien ISP domain
<freenet.de> to my own NEW domain <tamay-dogan.net> and tried to post
while not subscribed with the NEW E-Mail and my post was immediatly
rejected as "submission by non subscriber".
It seems, this is the reson WHY this list is spamfree and I can download
my PHP folder without pipeing each message through spamassassin, clamav,
checking with <zen.spamhaus.org> and 4.000 lines of procmail scripts...
Same for <postgresql.org>.
OK, the Debian Mailinglists have heavy filters now, but however, I get
per day arround 100-400 spams over it which are catched to 99% by my
filters...
Such actions are eating resources! (CPU and maintain time)
> > since my small Laptop (TP570) can not handel the Dino of apache2,
> > I am running the light webserver "boa" und Debian/Sarge.
> >
> > Question: Can anyone tell me HOW to get PHP5 running with it?
>
> RTFM: http://www.boa.org/documentation/boa-2.html#ss2.3
I have done this and I get every time a
---[ STDIN ]------------------------------------------------------------
The file "index.php" is of type application/x-httpd-php, and Mozilla
does not know how to handle this file type. This file is located at:
http://tp570.private.tamay-dogan.net
------------------------------------------------------------------------
> Just like Apache's httpd.conf, you add an AddType directive.
> Compile PHP into a static, standalone (non-modular, non-ASPX) binary
> and add the binary as an extension.
I have read it, but can it be, that there is a problem with PHP in the
Debian GNU/Linux Distribution? (Etch and Sarge)
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
--- End Message ---
--- Begin Message ---
Am 2008-06-15 14:07:14, schrieb tedd:
> At 4:11 PM +0100 6/15/08, Richard Heyes wrote:
> >>But, a sophisticated user will find a way around that.
> >
> >A less sophisticated one will use the PrintScr key... :-)
>
> Must be a windozes thing. :-)
It works on ny Debian GNU/Linux Sarge with "Fvwm" too.
----[ '~/.fvwm/PROF_default/keys' ]-------------------------------------
Key Print A A Exec /bin/bash -c 'xwd -root |xwdtopnm
|pnmtojpeg --quality 100 >~/dumps/`date +%Y%m%d%H%M%S`.jpg'
------------------------------------------------------------------------
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
--- End Message ---
