Jeffrey Froman <[EMAIL PROTECTED]> writes: > Consider a PHP-based CMS that allows users to upload files. Because the > application runs as the webserver user, uploaded files, and the directory > where they reside, must be accessible and writable by that user. It is the > same user that any other hosting customer on that machine has access to. > Thus, any user on the shared host could write a quick CGI script that > accesses, adds, removes, or defaces your uploaded content.
That sounds trivial to ameliorate (at least somewhat) by putting your uploads in a directory whose name is known only to you (let's say it's a random 20-letter string). The parent directory can be protected to not allow reading the subdirectory names. -- http://mail.python.org/mailman/listinfo/python-list
