On Sat, 16 Mar 2002, mulix wrote:
> On Sat, Mar 16, 2002 at 06:10:18PM +0200, Shlomi Fish wrote:
> > On Sat, 16 Mar 2002, mulix wrote:
>
> > > show me how a script that fulfills the function required can be made
> > > secure, please...
> >
> > Simple, by making sure that:
> >
> > 1. The filename does not contain slashes at all.
> > 2. The filename does not start with a dot.
> > 3. The file is up to a certain size.
> > 4. The total size of the directory is up to a certain size.
> > 5. The file is always created with the same permissions which are not
> > executable.
> >
> > It requires some sanity checks, but it is doable.
>
> gah, you completely missed the point.
>
> do you allow *any* user to upload a file? if not, you need to
> authenticate them. please show me how to do that securely and with
> resilience to a man in the middle attach or a replay attack, without
> going to too much effort in a cgi script. if you do allow any user, i
> claim that your cgi is insecure by default.
I'm not going to allow any user. What I am going to do is use SSL or
something like that. I don't know if SSL allows a man in the middle
attack, because I'm not an expert in Crypto{graphy,logy}. But I think a
man in the middle cannot duplicate the iglu.org.il's SSL certificate.
Regards,
Shlomi Fish
> --
> The ill-formed Orange
> Fails to satisfy the eye: http://vipe.technion.ac.il/~mulix/
> Segmentation fault. http://syscalltrack.sf.net/
>
>
>
>
----------------------------------------------------------------------
Shlomi Fish [EMAIL PROTECTED]
Home Page: http://t2.technion.ac.il/~shlomif/
Home E-mail: [EMAIL PROTECTED]
"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
