[geeklog-devel] Prototype fix for expiring security tokens
joe at ThrowingDice.com
Wed Dec 30 20:32:55 EST 2009
At 05:05 AM 12/30/2009, Dirk Haun wrote:
> >Feedback welcome.
I haven't tried the code so this may be nothing. Passing the $_FILES
array back to the client feels wrong from a security point of view. I
don't know what the attack vector would be but it just sounds like a
bad idea. I know the code cleans out the path information from the
"real file location" but are you sure you are not providing any
configuration information to the client that it would not normally
have? Just something you might want to double check twice.
Throwing Dice Games
More information about the geeklog-devel