PEAK XOOPS - Re: Protector protects from a legitimate upload.

Top > XOOPS Modules >Protector >Protector protects from a legitimate upload.

Re: Protector protects from a legitimate upload.

List posts in the topic

Re: Protector protects from a legitimate upload.

msg# 1.8

depth:: 1

Previous post - Next post | Parent - Children.1 | Posted on 2007/9/21 3:41

vaughan

Posts: 37

sorry, been busy so only just got back to this thread.

Quote:

You should know $_FILES[]['type'] has non-sense at all.

And if you dare to use $_FILES[]['name'], filter it by white list like
preg_replace( '/[^0-9a-zA-Z_-]/' , '' , $_FILES[]['name'] ) ;

And its extension should be set by file contents (check by getimagesize()).

If the file is not a image, don't place it under DocumentRoot.

I understand, and from looking at our uploader class (we don't use xoops uploader class, we use a different class for wfdownloads) the $_FILES['filename']['name'] is sanitized with MyTextSanitizer::stripSlashesGPC($_FILES[$media_name]['name'])

which I presume is safe(r);

we leave the choice of whether the user wants to store the uploads outside of the DocumentRoot to the user, but the option is there for the user to upload to whatever path they choose whether it is inside the DocumentRoot or outside the DocumentRoot, they just have to set the path in preferences.

the filename on the server is stored using uniqid. for example:

$this->mediaName = MyTextSanitizer::stripSlashesGPC($_FILES[$media_name]['name'][$index]);
            if ($this->randomfilename) {
                $unique = uniqid(time());
                $this->mediaName = 'wfd_'.$unique.'--'.$this->mediaName;
            }

and on user choosing the download, the filename is changed to it's proper name before it is sent to the browser, so both the filename & the upload path are never shown to the user at all.

the file is also checked with getimagesize() so i think we are thinking along the same lines? i hope.

Votes:2 Average:5.00

Posts tree

Protector protects from a legitimate upload. (vaughan, 2007/8/27 0:46)
- Re: Protector protects from a legitimate upload. (GIJOE, 2007/8/28 12:35)
- Re: Protector protects from a legitimate upload. (vaughan, 2007/8/29 3:48)
  - Re: Protector protects from a legitimate upload. (GIJOE, 2007/8/29 5:51)
- Re: Protector protects from a legitimate upload. (Dave_L, 2007/8/29 4:30)
  - Re: Protector protects from a legitimate upload. (GIJOE, 2007/8/29 5:32)
  - Re: Protector protects from a legitimate upload. (vaughan, 2007/8/29 8:44)
    - Re: Protector protects from a legitimate upload. (GIJOE, 2007/8/31 4:30)
- Re: Protector protects from a legitimate upload. (suico, 2007/9/1 4:15)
- Re: Protector protects from a legitimate upload. (Dave_L, 2007/9/4 17:59)
  - Re: Protector protects from a legitimate upload. (GIJOE, 2007/9/5 12:34)
- Re: Protector protects from a legitimate upload. (suico, 2007/9/4 20:11)
- Re: Protector protects from a legitimate upload. (suico, 2007/9/6 2:44)
  - Re: Protector protects from a legitimate upload. (GIJOE, 2007/9/6 4:03)
- Re: Protector protects from a legitimate upload. (vaughan, 2007/9/21 3:41)
  - Re: Protector protects from a legitimate upload. (GIJOE, 2007/9/22 17:34)
- Re: Protector protects from a legitimate upload. (vaughan, 2007/9/28 1:38)
  - Re: Protector protects from a legitimate upload. (GIJOE, 2007/9/28 3:09)

Lost Password?

Register now!