Long term, moving the uploads folder out of the webdir does make sense. Skilled devs can hook the project:permissions task and add a writable folder under web/ if they need one for performance reasons. It might be a good idea to continue to have such a folder by default but not have it be the default destination of uploaded files. Programmers who are paying attention and validating things properly can then reap the performance benefits by moving files there after validation.
(Wrappers for accessing all uploaded files only sound like a good idea until you're dealing with 1000's of huge image files. Then you start wondering why you're pinning down PHP instead of just letting Apache do its job. "Just wrap everything" is not a serious answer for, let's say, every photo in a CMS.) On Mon, Feb 8, 2010 at 9:22 AM, Florian MAURY <[email protected]> wrote: > 2010/2/8 Éric Rogé <[email protected]>: >> I've added a new todo on Symfony Check : >> http://symfony-check.org/permalink/protect-yourself-against-user-uploaded-files >> >> My english can be pretty sloppy sometimes, corrections are welcome. > > > Hi Eric, > For the record, you should add to your documentation that this > security is only working for admins using Apache + mod_php4 | mod_php5 > as php-cgi, php + fastcgi, lighttpd + php, or nginx + php won't be > secured this way. > You should also add that it is mandatory that the .htaccess has 4xx > rights, to prevent somebody from uploading a .htaccess over it, if no > proper sanitazing is done on the filename. > > You can also add, i think, that the best way to secure the upload is > to move the upload dir out of the web dir... (@Krzys, thank you, I was > feeling alone ;)) > > Regards, > Florian MAURY > > -- > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > > -- Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
