Re: Protector protects from a legitimate upload.
List posts in the topic
Re: Protector protects from a legitimate upload.
msg# 1.3
Dave_L
From: Virginia, USA
Posts: 35
Are you talking about filenames with consecutive periods (../foo/bar.txt) or non-consecutive periods (foo.tar.gz)?
I think the latter (non-consecutive periods) is blocked if the "Exit if bad files are uploaded" setting in the Protector module preferences is enabled. This is implemented in Protector::check_uploaded_files() in trust_path/modules/protector/class/protector.php.
I have this setting disabled.
The former (consecutive periods) is blocked if the setting "Protection from Directroy Traversals" is enabled. This is implemented in function protector_prepare() in trust_path/modules/protector/include/precheck.inc.php.
This applies to Protector 3.04. I haven't upgraded to 3.1 yet.
Votes:23
Average:4.35
Posts tree