Hi, 2010/2/3 Pascal <[email protected]>: > Hi, > If some files uploaded by users have to be accessed by them, I personally > think they should be considered as static assets. > In my projects, css/js and uploads folders are served by nginx and not > processed by apache + php/ruby/python/asp/.. handler > That's why my earlier solution was to disable processing of any file into > uploads folder by using a simple line inside project web/.htaccess (hasn't > been bulletproofed, but minimal tests are working)
Agreed. Should be, but often aren't. Yes. It can work. In some cases. Seeing two webservers like this is only seen in company knowing their job and/or having specific performance problems. Those guys know how to secure an upload dir. A "beginner" don't. The framework could help, starting by not putting this kind of dir in the webdir. As already stated, php_flag (in .htaccess or in httpd.conf) is only usefull with php as a module of Apache. A smaller piece of a piece. > RewriteRule ^(uploads\/.+)$ $1 [T=application/octet-stream] > It's a good first protection against that issue and if the admin wants to go > further let him add its own protection against certain kind of files. As already stated, this won't work if files have to be displayed, or played. They are going to be downloaded. I believe browsers use the Content-Type to know what to do with a binary stream. Florian MAURY -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
