[geeklog-devel] PDF feature....
Tony Bibbs
tony at tonybibbs.com
Wed Jun 9 12:49:34 EDT 2004
Yeah, I guess I was blindly trusting the downloader class to be secure
enough. I will fix PDF_servePDF() but don't be surprised if I make a
minor change to the downloader class to do handle this more elegantly.
Guess I should check the getimage.php page too, huh?
--Tony
Dirk Haun wrote:
>Tony,
>
>
>
>>This code also deserves a look from the security perspective.
>>
>>
>
>function PDF_servePDF() should check the path before attempting the download.
>
>I've managed to download a PDF from some place outside of the webserver's
>webtree. For non-PDF files, it at least tells me if that file exists or
>not. There may be ways to trick it into downloading non-PDF files, too.
>And even if that is not possible, it at least enables me to snoop around
>on the webserver.
>
>bye, Dirk
>
>
>
>
More information about the geeklog-devel
mailing list