[geeklog-devel] PDF feature....

Tony Bibbs tony at tonybibbs.com
Wed Jun 9 12:49:34 EDT 2004


Yeah, I guess I was blindly trusting the downloader class to be secure 
enough. I will fix PDF_servePDF() but don't be surprised if I make a 
minor change to the downloader class to do handle this more elegantly.  
Guess I should check the getimage.php page too, huh?

--Tony

Dirk Haun wrote:

>Tony,
>
>  
>
>>This code also deserves a look from the security perspective.
>>    
>>
>
>function PDF_servePDF() should check the path before attempting the download. 
>
>I've managed to download a PDF from some place outside of the webserver's
>webtree. For non-PDF files, it at least tells me if that file exists or
>not. There may be ways to trick it into downloading non-PDF files, too.
>And even if that is not possible, it at least enables me to snoop around
>on the webserver.
>
>bye, Dirk
>
>
>  
>



More information about the geeklog-devel mailing list