> And what if you don't use Apache? Or if .htaccess are not allowed in your > Apache configuration?
Most Symfony developers would be using Apache, so I think this is still a good idea. > > As you said, I think this is up to the developer to take care of this. I agree, in the end this is the developer's responsibility, but if there is a solution that will cover many/most/majority situation (like the .htaccess) then I think it is something worth while. On Sun, Jan 31, 2010 at 9:37 PM, Fabien Potencier <[email protected]> wrote: > > On 1/30/10 5:16 PM, Tom Boutell wrote: >> >> This is not a bug in Symfony. Being smart with files and never, ever >> blindly trusting file extensions uploaded by end users (!!!) is up to >> the developer. >> >> However, it would indeed be very straightforward to block as you >> suggest, so dropping a .htaccess to that effect in the web/uploads >> folder of a newly generated project might be a good idea. Just as the >> Propel and Doctrine ORMs make it naturally difficult to goof and >> execute user input as SQL code, such a .htaccess file would make >> things a little safer "out of the box" for file upload management. > > And what if you don't use Apache? Or if .htaccess are not allowed in your > Apache configuration? > > As you said, I think this is up to the developer to take care of this. > > Fabien > >> >> As for Diem, you logged in as an admin who should presumably have all >> privileges, so I think you should check and make sure this is really >> permitted for an "ordinary" Diem user before you rush to the >> conclusion that it is a security hole in Diem. >> >> (Our Apostrophe CMS does limit what can be uploaded. But Apostrophe >> has seen a lot of deployment in environments with many users where >> that sort of caution is warranted.) >> >> On Sat, Jan 30, 2010 at 11:08 AM, Éric Rogé<[email protected]> wrote: >>> >>> THE ISSUE >>> >>> When a user uploads a file in a form, Symfony stores it by default in >>> the "web/uploads" directory and the files in that directory can be >>> reach by any user. >>> >>> Imagine : a hacker succeed to upload a file named attack.php that >>> contents that line: >>> >>> <?php echo file_get_contents('../../config/databases.yml'); ?> >>> >>> We see what I mean ? Outch. >>> >>> What does the hacker needs ? Just a form that doesn't check well >>> enough the uploaded files extensions. >>> >>> >>> How the hell could it happen ? By at least 3 ways : >>> >>> 1/ The developer doesn't know his job or has been lazy : Checking file >>> types ? Why ? How ? >>> >>> 2/ The developer wanted to build a flexible app >>> >>> A job application, users have to upload their CV. Which extensions >>> should I accept in this form ? Hmmm, Pdf for sure. And Word files. And >>> Pages. And Open Office and Rtf and... Come on ! Let's just say that >>> all files are welcome as long as they aren't too big ! >>> >>> 3/ Trickier one : Php is turned on in unusual files extensions >>> >>> A myspace-like service lets users upload their own css for their >>> private space. >>> Few weeks later, php is turned on in css files to add a brand new cool >>> feature. Great, now the hacker just have to upload an attack.css file >>> with php in it... >>> >>> >>> REAL LIVE SAMPLE >>> >>> I'm afraid that these kind of forms are very easy to find. >>> The first I've found : the Diem project >>> >>> Go to the admin >>> http://demo.diem-project.org/admin.php/content/site/sites-using-diem/new >>> (use "admin" as login and password) >>> >>> In the thumbnail field, you can upload any php file, it will be >>> published online.... >>> >>> >>> FIX PROPOSAL >>> >>> Php should definitively be disabled by default in the uploads >>> directory : >>> >>> <Directory "/path/to/my/sfProject/web/uploads"> >>> php_flag engine off >>> </Directory> >>> >>> The fix could release in a .htaccess added to the uploads directory. I >>> think it should be easiest way for many symfony users. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "symfony developers" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/symfony-devs?hl=en. >>> >>> >> >> >> > > -- > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > > -- Blue Horn Ltd - System Development http://bluehorn.co.nz -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
