which do you mean "you" ?
Perhaps, "directory traversal" would be irrelevant with this issue.
Quote:
Dave_L wrotes:
Are you talking about filenames with consecutive periods (../foo/bar.txt) or non-consecutive periods (foo.tar.gz)?
"tar.gz" is the only exception. (treated as .tgz innerly)
You can upload foo.tar.gz with the setting on.
Quote:
I think the latter (non-consecutive periods) is blocked if the "Exit if bad files are uploaded" setting in the Protector module preferences is enabled. This is implemented in Protector::check_uploaded_files() in trust_path/modules/protector/class/protector.php.
I have this setting disabled.
I don't recommend "disable the setting".
There are some modules with the vulnerability about multiple dot. (Just checking by a simple black list...)
You know these files can be treated as parsable PHP with apache.
foo.php.bar
foo.php.en.anonymous
Thus, Protector inhibits such extensions in $_FILES[]['name']
Of course, all modules should ignore $_FILES[]['name'] if the file is placed under DocumentRoot.
And you can turn this off when all modules are free from such vulnerability.
However, when I read some major modules released from xoops.org some months ago, there are
NO modules without the vulnerability...