Hi devs, If I understand correctly this conversation, you guys don't seem to agree on the best way to handle this problem. And if I'm not mistaken, you are all educated web developers well aware of security problems.
On the other hand, most of you consider that the symfony framework does not have to handle this and that the developers should be educated enough to deal with it themselves. Finally, this issue affects most of the existing symfony projects. To sum up, that's a complicated but very common problem with no simple solution. But isn't it what frameworks are supposed to help with? For my own part, after reading this conversation, I don't know what is good and what not. This seems serious enough for the framework to emphasize the best way to keep the applications safe, either by a clear documentation or by sensible defaults. My 2c, François 2010/2/8 Tom Boutell <[email protected]> > I think data/ needs a writable subfolder for this kind of thing. > > Our stuff defines one, hooking plugin:permissions to create > data/pk_writable (well, data/a_writable come Wednesday). > > On Mon, Feb 8, 2010 at 2:06 PM, Éric Rogé <[email protected]> wrote: > > @Flukey: Thanks a lot for your corrections > > > > I've added an other advise: store files in the "data" directory when > > possible. > > Does it make sense to you ? Am I the only one to store my files > > there ? > > > > The new part: > > > > Avoid to use the uploads directory when you can > > > > Some uploaded files - like user avatars - need to be publicly > > accessible and are rendered very often by the server, so the uploads > > directory is the right place for them. > > > > But many other user files are private or rarely rendered. All these > > files chould be stored in the data directory (documentation). > > > > 1/ Create a files sub directory: mkdir /path/to/my/sfProject/data/ > > files > > > > 2/ Change the path option in your forms: > > > > $this->validatorSchema['driver_licence_pic'] = new > > sfValidatorFile(array( > > 'mime_types' => 'web_images', > > 'path' => sfConfig::get('sf_data_dir').'/files/ > > driver_licence', > > )); > > > > 3/ And add a dedicated route to render the file. > > > > On Feb 8, 7:41 pm, Amadeus <[email protected]> wrote: > >> I earlier suggested adding more preset mime_categories - something I > >> implemented on my sites - in the process I realized that my list was a > >> mile long just to allow for all the variations of safe files that I > >> found (read audio alone seems to have about 10!). So I strongly > >> suggest: > >> > >> 1. adding an option for nonallowed_mimes which is a lot easier to > >> achieve that scouring the net for a list. > >> > >> 2. setting a safe default. Yes it is up to the developer but I rather > >> like the safe by default rather than ridiculously unsafe by default. > >> > >> I think that most developers would want a) allow image uploads or b) > >> document uploads (images, pdf, doc, xls, mp3) - I have never come > >> across a need from a client to upload a php file or even an html. So a > >> default of "popular" documents might be good? > > > > -- > > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > [email protected]<symfony-devs%[email protected]> > . > > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > > > > > > > > -- > Tom Boutell > P'unk Avenue > 215 755 1330 > punkave.com > window.punkave.com > > -- > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<symfony-devs%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > > -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
