On Mon, 14 Jul 2003 00:24:03 -0400, you wrote: >Looking for opinions. Can a spoofed uploaded file hurt a script or a >webserver?? >Reason why Im asking is because, I looked over the magic.mime file on my >server, and I see that it >doesn't support flash files (I may be wrong), of which I currently allow >flash files to be uploaded. >So who knows what else it may not support. >I guess, can it really be bad for your script, your server, and/or your >health??
The following is just uninformed opinion, as I haven't sat down and tested any of this, or even thought about it to any great degree. I'd welcome anyone telling me where I'm wrong. I wouldn't want user-created data to end up under the webroot. I'd always be worrying about, say, someone uploading a file that used SSI to sneak the database password file out of the server, or something. And even if I plugged that hole, there might be another, and another... rather than plug individual holes, I'd want to avoid that entire class of problems. The best approach, IMO, is to keep such uploaded files outside the webroot, and call them via a PHP script. Something like /show_resource.php?resourceid=1535 with the resource directory either waaaay over there, or (my preference) replaced by a database table. The show-resource.php script just has to set the correct mime type header and stream out the contents of the file. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
