[geeklog-devel] Testing of getimage.php
Tony Bibbs
tony at tonybibbs.com
Wed Jan 7 00:02:54 EST 2004
I have committed changes to CVS that use getimage.php. That file allows
images outside of a webtree to be viewed (i.e. userphotos, article
images). This was added as someone using Geeklog on a restrictive host
couldn't use any of the file uploads features because of security
restrictions. Instead of writing files to public_html/images, the
iamges had to be uploaded to a directory elsewhere.
My only real issue with what I have done is security. I'm worried that
it may be possible to hack the getstring in a way that may allow access
to unrestricted files. Granted I have limited the serving of files to
only images and I am check for '..' in the image name for someone that
may try using relative paths but I still think it needs someone elses
blessing before I'd feel 100% confident. If you get a chance, give it a
try.
Thanks,
--Tony
More information about the geeklog-devel
mailing list