On Sat, Mar 16, 2002 at 06:10:18PM +0200, Shlomi Fish wrote: > On Sat, 16 Mar 2002, mulix wrote:
> > show me how a script that fulfills the function required can be made > > secure, please... > > Simple, by making sure that: > > 1. The filename does not contain slashes at all. > 2. The filename does not start with a dot. > 3. The file is up to a certain size. > 4. The total size of the directory is up to a certain size. > 5. The file is always created with the same permissions which are not > executable. > > It requires some sanity checks, but it is doable. gah, you completely missed the point. do you allow *any* user to upload a file? if not, you need to authenticate them. please show me how to do that securely and with resilience to a man in the middle attach or a replay attack, without going to too much effort in a cgi script. if you do allow any user, i claim that your cgi is insecure by default. -- The ill-formed Orange Fails to satisfy the eye: http://vipe.technion.ac.il/~mulix/ Segmentation fault. http://syscalltrack.sf.net/ ---------------------------------------------------------------------------- To unsubscribe, send a message to [EMAIL PROTECTED] Archives available at http://www.mail-archive.com/[email protected]/
