[geeklog-devel] Testing of getimage.php

Tony Bibbs tony at tonybibbs.com
Wed Jan 7 00:02:54 EST 2004


I have committed changes to CVS that use getimage.php.  That file allows 
images outside of a webtree to be viewed (i.e. userphotos, article 
images).  This was added as someone using Geeklog on a restrictive host 
couldn't use any of the file uploads features because of security 
restrictions.  Instead of writing files to public_html/images, the 
iamges had to be uploaded to a directory elsewhere.

My only real issue with what I have done is security.  I'm worried that 
it may be possible to hack the getstring in a way that may allow access 
to unrestricted files.  Granted I have limited the serving of files to 
only images and I am check for '..' in the image name for someone that 
may try using relative paths but I still think it needs someone elses 
blessing before I'd feel 100% confident.  If you get a chance, give it a 
try.

Thanks,

--Tony




More information about the geeklog-devel mailing list