Why can't we just block a file that begins with dot by default? On Mon, Feb 1, 2010 at 12:58 PM, Tom Boutell <[email protected]> wrote: > Oops! Laurent is correct. We should NOT do this because it can be > trivially overridden by simply uploading a file called .htaccess to > shut it off. There is nothing worse than a security measure that > doesn't actually work, because people trust it and stop doing their > homework. > > Allowing users to upload any file extension they want is never smart - > you should always have an approved list of extensions that you accept, > and ideally sniff file types by actual content rather than extension > (but Macs do provide extensions too these days, so life isn't quite as > painful as it used to be). > > It might make sense for Symfony's file upload handling to reject .php > files by default, but where does that end? Some servers are configured > to block PHP code in .html files too, yet uploading HTML files is > often desirable. > > File extensions are not the end of it either! What if the browser is > really a script that stuffs in a relative path as the filename? Your > code shouldn't trust that and overwrite the contents of your site. > > The Symfony documentation could call more attention to the fact that > the user's filename (not just extension!) should never be trusted. And > it might be nice to have a standard validator available for rejecting > anything that isn't a web-friendly image file (GIF, JPEG, PNG) since > that is such a common case. Such a validator could check the actual > contents of the file easily with the imagesize() function, which is > standard in PHP, and force the appropriate file extension as well as > forcing the filename to \w+ only, perhaps optionally suggesting a > nonconflicting filename if the file already exists. > > But in the general case, what is "safe" depends on what you're trying > to do. If you're writing a pure-PHP file sync tool to get around the > lack of a shell on Rackspace Cloud and you've already checked for an > appropriate password, uploading PHP files right on top of the main app > folder might be exactly what you want to do (and yes, we do this on > one site right now). > > Symfony can help you avoid stepping in open manhole covers but you > still shouldn't walk along dark alleys wearing an ipod and mirror > shades at 2am (: > > On Sun, Jan 31, 2010 at 11:36 AM, Laurent Bachelier > <[email protected]> wrote: >> What prevents me from uploading an .htaccess file and overriding the >> configuration? >> The real solution is, as always, validate user input. >> >> On Jan 30, 5:08 pm, Éric Rogé <[email protected]> wrote: >>> <Directory "/path/to/my/sfProject/web/uploads"> >>> php_flag engine off >>> </Directory> >>> >>> The fix could release in a .htaccess added to the uploads directory. I >>> think it should be easiest way for many symfony users. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "symfony developers" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/symfony-devs?hl=en. >> >> > > > > -- > Tom Boutell > P'unk Avenue > 215 755 1330 > punkave.com > window.punkave.com > > -- > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > >
-- Blue Horn Ltd - System Development http://bluehorn.co.nz -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
