Hi, If some files uploaded by users have to be accessed by them, I personally think they should be considered as static assets.
In my projects, css/js and uploads folders are served by nginx and not processed by apache + php/ruby/python/asp/.. handler That's why my earlier solution was to disable processing of any file into uploads folder by using a simple line inside project web/.htaccess (hasn't been bulletproofed, but minimal tests are working) RewriteRule ^(uploads\/.+)$ $1 [T=application/octet-stream] It's a good first protection against that issue and if the admin wants to go further let him add its own protection against certain kind of files. [MA]Pascal On Wed, Feb 3, 2010 at 09:20, Florian MAURY <[email protected]> wrote: > 2010/2/3 Frank Stelzer <[email protected]>: > > But how should symfony know that a uploaded yml or php file (or whatever) > is > > a bad file? > > I think the answer is : it can't. > That's why, for me, it's always mandatory that the upload dir is out > of the webdir. If something must be accessed directly by a user, it > should be accessed via a wrapper. It helps to restrict access to the > file (if we want we can put a policy on it) and it helps to prevent > code execution like described in the first mail of this thread. > The overhead of the wrapper is very small for most projects, and if > the developer needs optimization, then, he should know what to do > (move the file in the webdir); If he knows what to do, then he > certainly knows that he should check the file before moving it. > > Regards, > Florian MAURY > > -- > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<symfony-devs%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > > -- Pascal -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
