[FX.php List] [OFF] Potential gotchas with uploading files?

Gjermund Gusland Thorsen ggt667 at gmail.com
Fri Apr 3 10:18:25 MDT 2009


Well there are also extensions that should be prohibited from keeping
their orignal name when uploading .sh -> .txt for example.

ggt

2009/4/3 Gjermund Gusland Thorsen <ggt667 at gmail.com>:
> rename .php files to .phps
>
> http://pastebin.com/f7e3e9f38
>
> ggt667
>
> 2009/4/3 Bob Patin <bob at patin.com>:
>> I definitely wouldn't embed the upload path anywhere but in PHP so that it's
>> not visible to users.
>>
>> Also, I check for authorization at the top of my upload pages, so that only
>> someone who logged-in properly can load the upload pages--that will keep
>> anyone else from being able to upload anything.
>> I put something like this:
>> if ($_SESSION['convoluted_variable'] != "lethimin"){
>> echo 'Access prohibited.';
>> exit;
>> }
>>
>> Bob Patin
>>
>>
>> Longterm Solutions
>> bob at longtermsolutions.com
>> 615-333-6858
>> http://www.longtermsolutions.com
>> iChat: bobpatin
>> AIM: longterm1954
>> FileMaker 9 Certified Developer
>> Member of FileMaker Business Alliance and FileMaker TechNet
>> --------------------------
>> FileMaker hosting and consulting for all versions of FileMaker
>> PHP • Full email services • Free DNS hosting • Colocation • Consulting
>> On Apr 2, 2009, at 10:49 PM, Anders Monsen wrote:
>>
>> Not sure if your users will be able to see the upload directory path, but if
>> this is the case and the path can be accessed via web browser, then they may
>> end up with access to the entire directory via a browser. One way around
>> this is to include an index.html file in that directory with a gentle
>> message to the user. This way, if they put the directory path and a trailing
>> slash they will the contents of this file rather than the directory listing
>> with options to download the files.
>>
>> --
>> Anders Monsen
>>
>>
>> -----Original Message-----
>> From: fx.php_list-bounces at mail.iviking.org on behalf of Bob Patin
>> Sent: Thu 4/2/2009 10:18 PM
>> To: FX.php Discussion List
>> Subject: Re: [FX.php List] [OFF] Potential gotchas with uploading files?
>>
>> Good point about the filesizes; there are a couple of filesize
>> settings in PHP that you'l want to bump up--max file size is one, and
>> there's a 2nd one, but I forget the name now. If you look for 'max'
>> after pulling up phpinfo() on a page, you'll find it. If I remember
>> correctly, they're set to 2MB by default.
>>
>>
>>
>> Bob Patin
>>
>>
>>
>> Longterm Solutions
>> bob at longtermsolutions.com
>> 615-333-6858
>> http://www.longtermsolutions.com
>> Twitter: bobpatin
>> iChat: bobpatin
>> AIM: longterm1954
>> FileMaker 9 Certified Developer
>> Member of FileMaker Business Alliance & FileMaker TechNet
>> --------------------------
>> FileMaker hosting and consulting for all versions of FileMaker
>> Web hosting . PHP . Full email services . Free DNS hosting .
>> Colocation . Consulting
>>
>> On Apr 2, 2009, at 9:57 PM, Dale Bengston wrote:
>>
>>> Hi Joel,
>>>
>>> The biggest headaches I've had with file upload have come from PHP
>>> and Apache settings for file sizes and memory allocations. They're
>>> set pretty low by default. Depending on what you're allowing for
>>> uploads, this may not be an issue at all, but it got me. Also,
>>> validate, validate, validate what's being uploaded.
>>>
>>> On Apr 2, 2009, at 9:15 PM, Joel Shapiro wrote:
>>>
>>>> Hi all
>>>>
>>>> I'm looking for thoughts on how complicated an upload-file site can
>>>> be.
>>>>
>>>> I've got a potential new project that would involve people
>>>> uploading files via the Web and then having those files accessible
>>>> to FMP clients.  I haven't worked with uploading before, but I've
>>>> successfully put together the basics of uploading files and moving
>>>> them to a specified directory.  In my brief experimenting, though,
>>>> I've already seen issues with access privileges of the uploaded
>>>> files (on my development machine) and UPLOAD_ERR_NO_TMP_DIR errors
>>>> on my regular web host.  I'm also aware that there are security
>>>> concerns when uploading files to a server, and know that servers
>>>> and php can be configured quite differently in different machines
>>>> and environments (it's not yet determined if the site will be
>>>> hosted internally or through an external FM host).  FWIW - I'd
>>>> probably leave files in their directory(ies) on the web server and
>>>> have the FMP clients get to them via their network paths, so I'm
>>>> not very concerned about that part of it.
>>>>
>>>> For those that have worked with this, what kinds of problems can
>>>> should I be ready for?  Could this be a big headache?
>>>>
>>>> TIA,
>>>> -Joel
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>


More information about the FX.php_List mailing list