Re: [Phpwiki-talk] Status of the UpLoad.php plugin?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sun, Mar 07, 2004 at 01:45:24PM -0600, electron wrote:
> Since the upload plugin doesn't currently do any bounds checking, a
> malicious user can upload a hackme.php and do malicious things. I can come
> up with a fun list if you really want.

v 1.6 2004/02/27 (from the nightly a few days back) checks for disallowed
extensions including php. That's not enough to be really safe (for instance,
.php3 would work, and many servers recognize that). But it would be fairly
simply to change it instead to run a regex of _allowed_ extensions (i.e.,
jpg, jpeg, gif, zip ... whatever fits your purpose) and block everything
else. Then all you have to do is be sure there's no way a file with any of
your allowed extensions has any way of being executed, or included in
something that would render its contents so. YMMV. In other contexts I've
allowed signed-in users to upload via PHP for years, and locking it down to
the specific file types that make sense in the context and (as far as I
know) there have been no problems.

Whit