Hi Reini,
there's no way for the user to get access to the parent directory on the
server. As long as the user only sees the upload button/textfield he/she
cannot do anything evil on the server-filesystem. The destination is
always the upload directory since the file content is copied from
/tmp/myfile to uploads/. The user cannot do anything against it.
/Bernd
Reini Urban wrote:
> Bernd Porr schrieb:
>
>> Hi all,
>>
>> wouldn't be a good idea to introduce relative paths in the UpLoad
>> plugin as well?
>>
>> var $url_prefix = "http:../uploads/";
>>
>> ...and changing the output
>>
>> $message->pushContent(_("File successfully uploaded to
>> location:"));
>> $message->pushContent(HTML::br());
>>
>>
>> $message->pushContent(HTML::strong(_("[$url_prefix$userfile_name]")));
>> $message->pushContent(HTML::br());
>>
>> to boldface. Otherwise the ".." might be interpreted as dirt on the
>> monitor. :-)
>>
>>
>> --------------------
>>
>> The same applies to the file location:
>>
>> var $file_dir;
>>
>> function WikiPlugin_EmbedUpload() {
>> if (defined('PHPWIKI_DIR')) {
>> $this->file_dir= PHPWIKI_DIR . "/uploads/";
>> } else {
>> $this->file_dir= "uploads/";
>> }
>> }
>>
>>
>> ----------------------
>>
>> this would make the plugin usable without any modification in the
>> source.
>> If this, however, is already in the CVS then simply forget it. :-)
>
>
> good idea, but hard to implement.
> it needs more security tests. "../../" must not be allowed e.g.
>
--
Contact information:
http://www.cn.stir.ac.uk/~bp1/
|
