[geeklog-devel] PDF feature....

[Dirk Haun]

Tony,

>This code also deserves a look from the security perspective.

function PDF_servePDF() should check the path before attempting the download. 

I've managed to download a PDF from some place outside of the webserver's
webtree. For non-PDF files, it at least tells me if that file exists or
not. There may be ways to trick it into downloading non-PDF files, too.
And even if that is not possible, it at least enables me to snoop around
on the webserver.

bye, Dirk


-- 
http://www.haun-online.de/
http://geeklog.info/