[geeklog-devtalk] geeklog-devel digest, Vol 1 #248 - 1 msg

[geeklog-devel-request at lists.geeklog.net]

Send geeklog-devel mailing list submissions to
	geeklog-devel at lists.geeklog.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.geeklog.net/listinfo/geeklog-devel
or, via email, send a message with subject or body 'help' to
	geeklog-devel-request at lists.geeklog.net

You can reach the person managing the list at
	geeklog-devel-admin at lists.geeklog.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of geeklog-devel digest..."


Today's Topics:

   1. Testing of getimage.php (Tony Bibbs)

--__--__--

Message: 1
Date: Tue, 06 Jan 2004 23:02:54 -0600
From: Tony Bibbs <tony at tonybibbs.com>
To: geeklog-devel at lists.geeklog.net
Subject: [geeklog-devel] Testing of getimage.php
Reply-To: geeklog-devel at lists.geeklog.net

I have committed changes to CVS that use getimage.php.  That file allows 
images outside of a webtree to be viewed (i.e. userphotos, article 
images).  This was added as someone using Geeklog on a restrictive host 
couldn't use any of the file uploads features because of security 
restrictions.  Instead of writing files to public_html/images, the 
iamges had to be uploaded to a directory elsewhere.

My only real issue with what I have done is security.  I'm worried that 
it may be possible to hack the getstring in a way that may allow access 
to unrestricted files.  Granted I have limited the serving of files to 
only images and I am check for '..' in the image name for someone that 
may try using relative paths but I still think it needs someone elses 
blessing before I'd feel 100% confident.  If you get a chance, give it a 
try.

Thanks,

--Tony



--__--__--

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devel


End of geeklog-devel Digest