On Mon, Feb 1, 2010 at 10:08 AM, Florian MAURY wrote:
>
> Sorry, you haven't read well my post : I never said you can't delete
> it : I said, you can't overwrite it ;)
You're right, my mistake. The .htaccess file would be an effective
block as far as it goes.
> The thing is it only
> protects Ap
It seems that a convenient and backward compatible solution would be
to provide another allowed mime type like @web_images. Something such
as @safe_files to allow for a list of common types that would provide
a quick way for most developers to get up and running. Alternatively a
not-allowed mime ty
On 1 fév, 15:42, Tom Boutell wrote:
> > Having write permission on the directory allow to delete a file from
> > it, not overwrite it ; if the .htaccess file is 444, it's impossible
> > to overwrite it with an uploaded file.
>
> This is incorrect. I'm not nitpicking here, I honestly wasn't sure
> Having write permission on the directory allow to delete a file from
> it, not overwrite it ; if the .htaccess file is 444, it's impossible
> to overwrite it with an uploaded file.
This is incorrect. I'm not nitpicking here, I honestly wasn't sure
myself and had to test it:
boutell# su
Password
On 1 fév, 15:08, Tom Boutell wrote:
> Macintosh-4:~ boutell$ cd tmp
> Macintosh-4:tmp boutell$ symfony generate:project testperms
>
> ... various other output elided ...
>
> >> chmod 777 /Users/boutell/tmp/web/uploads
>
> It is the case by default.
>
> Symfony is rather aggressive with the 777 p
I'm not suggesting that web/uploads shouldn't be 777. Like cache/, it
wouldn't be much use for its intended purpose if it wasn't.
The issue here is managing what can be uploaded responsibly, and the
way to do that might be by adding some conspicuous and convenient
validators now in Symfony 1.4 for
Macintosh-4:~ boutell$ cd tmp
Macintosh-4:tmp boutell$ symfony generate:project testperms
... various other output elided ...
>> chmod 777 /Users/boutell/tmp/web/uploads
It is the case by default.
Symfony is rather aggressive with the 777 permissions actually, the
cache is also 777 (by necessit
Hi,
May I "just" ask _why_ the upload directory is in the docroot ? I
think the real problem is there ; every workarounds (in particular,
Apache-specific workarounds) will fail to enforce security.
The simple answer to improve the security is to move the upload dir
out of the docroot and :
* for
Hey I didn't know about Diem, very nice!!!
On Tue, Feb 2, 2010 at 2:12 AM, Thibault D wrote:
> Hi all
>
> Good catch Eric Roger, and thanks for the report.
> Please, next time you find a security issue on Diem demo site, firstly
> notify the team. We fix it quickly, and then you make the issue
>
Hi all
Good catch Eric Roger, and thanks for the report.
Please, next time you find a security issue on Diem demo site, firstly
notify the team. We fix it quickly, and then you make the issue
public. That's the way security issues are generally handled.
Cheers,
Thibault
On Feb 1, 1:50 pm, Pascal
Hi
And what about adding :
RewriteRule ^(uploads\/.+)$ $1 [T=application/octet-stream]
It will force downloading of all file inside uploads folder (so remove php
and other handlers)
to web/.htaccess file ?
[MA]Pascal
On Mon, Feb 1, 2010 at 08:57, Flukey wrote:
> I agree with your latter pro
I agree with your latter proposal. I think having a default validator
to block certain extensions would be perfect. Furthermore, if
implemented, it would be a quick task to reflect the changes in the
documentation as instead of trying to educate users in the docs, we
can just say "By default sfVal
I completely agree with you.
I agree with others that is not a symfony bug, however, it is most
certainly a security problem which the majority (including experienced
developers) would not know about.
A lot of developers have adopted sfForms because of the security
features, built in validators,
IMO a sensible way would be
1.) change the docs
http://www.symfony-project.org/forms/1_4/en/02-Form-Validation#chapter_02_file_upload
If I understand this code correctly, a file with extension .php will be
saved in the upload directory with a .phtml extension. (Firefox uploads
a .php file with c
14 matches
Mail list logo
