Hi, Dave Crossland wrote: > 2008/11/3 Brendan Ferguson <[EMAIL PROTECTED]>: > >> Getting the >> file onto the server is the first big step in launching an attack. >> > > We can set the webserver to send files for download, so neither the > webserver or webbrowser will interpret them. > > So could we accept all files, but make them only for download, and > tell site visitors to report problems to us if there are dodgy files? > > http://www.thingy-ma-jig.co.uk/blog/06-08-2007/force-a-pdf-to-download > explains how to do this for *.pdf files in a case insensitive, > cross-browser way. >
This download-as-dumb-data policy, combined with ccHost's file-verification capabilities seems adequate to me. I do see the potential for attacks based on the contents of an upload, but why should we accept uploaded HTML files and why should we allow any uploaded file to be executed by Apache? I believe what is needed is this: - accept upload as either loose files or an archive (.tgz, .zip, perhaps .7zip and .bzip) - if this is a new typeface, create a directory for it inside the user's directory - unarchive everything once the archive has been uploaded, *replacing any files with the same name* And then have download links for each individual file and a .tgz (or perhaps better a .zip) for the whole directory. That's different in detail to what ccHost does right now, but it's compatible in spirit. It also leaves the way open for access via special URLs for package maintaining scripts or whatever with no need for human intervention. Cheers, Ben _______________________________________________ Openfontlibrary mailing list Openfontlibrary@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/openfontlibrary