2010/2/3 Frank Stelzer <[email protected]>: > But how should symfony know that a uploaded yml or php file (or whatever) is > a bad file?
I think the answer is : it can't. That's why, for me, it's always mandatory that the upload dir is out of the webdir. If something must be accessed directly by a user, it should be accessed via a wrapper. It helps to restrict access to the file (if we want we can put a policy on it) and it helps to prevent code execution like described in the first mail of this thread. The overhead of the wrapper is very small for most projects, and if the developer needs optimization, then, he should know what to do (move the file in the webdir); If he knows what to do, then he certainly knows that he should check the file before moving it. Regards, Florian MAURY -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
