I can't believe nobody mentioned this bug in the
Forums, as its absolutely essential for security
reasons to block out several file-extensions:
in the file script.js look for this line of code:
var re = /^(\.php)|(\.sh)/; // disallow shell scripts
and php
this code looks for the extension at the beginning of
the filename which i guess wont be found there very
often ;)
instead of the beginning /^ and the ending / it should
be / and $/
as shown in the example below, to check for the
extension at the end of the filename:
var re = /(\.php)|(\.sh)$/; // disallow shell scripts
and php
i tested this fix for version 1.35 and 1.45, and it
worked in both cases, but i'm sure it will also work
for all versions in between.
ps. i lost around 4 hours trying to get the demo of
1.45 to work until i read in a posting on this forum,
that in the readme.txt it says its a beta version, and
1.35 would be the last stable one, so i tried this and
it worked exept for this mentioned bug perfectly, so 1.
PLEASE write on the downloadpage everything newer than
1.35 is BETA, so others dont loose their mind over it
until they find out later, and 2. THANKS for your great
work Raditha and all the others! ;)
Logged In: NO
oops, i oversaw something, the $ must be after every
extension like this:
var re = /(\.php)$|(\.sh)$|(\.exe)$/;
otherwise "test.php.jpeg" would be blocked too
sorry for any inconveniences
Logged In: YES
user_id=160407
I think the safest way is to not allow the directory to be
read where files are uploaded. Give write access to the web
server but not read access.