[geeklog-devel] Prototype fix for expiring security tokens

Joe Mucchiello joe at ThrowingDice.com
Wed Dec 30 20:32:55 EST 2009


At 05:05 AM 12/30/2009, Dirk Haun wrote:
> >Feedback welcome.
>
>Anyone?

I haven't tried the code so this may be nothing. Passing the $_FILES 
array back to the client feels wrong from a security point of view. I 
don't know what the attack vector would be but it just sounds like a 
bad idea. I know the code cleans out the path information from the 
"real file location" but are you sure you are not providing any 
configuration information to the client that it would not normally 
have? Just something you might want to double check twice.


----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com 




More information about the geeklog-devel mailing list