> We can set the webserver to send files for download, so neither the > webserver or webbrowser will interpret them.
I imagine that even if the files are set for download, they will be interpreted. If say I setup a GIF for PHP to run through it, and then force the download header, it will probably download a intreated GIF. Now if you changed the type of file to say text, this might work... Probably. But you will not be able to view any of the images any more, the browser would be treating them like text. :( There is apache configs that can disable PHP and CGI directory specific though. I just spent some time plying with them. It seems as though we will have to put them in our own server config files. They are not universally accepted in .htaccess files. I can see if I can change the permissions of the files that are uploaded so there is read and write access, but not execution access. Not sure if this will work, but worth a try. Other than that, we will just have to rely on our blacklist, which should also disable some windows executables to prevent people from uploading viruses, which will not effect the server, but when downloaded could effect the clients. Another option, which I am really not up to coding, would be to rename the files when they are downloaded and use a database to connect all the original file names with the randomly generated file names we rename them all to. Then we never link directly to any file, but use a script to send the files when they are asked for. This way even if someone got something ugly up on to the server, and they did some how have execution permissions, they would not know what file to call. _______________________________________________ Openfontlibrary mailing list Openfontlibrary@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/openfontlibrary