bugPEM - Bugs: bug #12909, protect upload directory from web...

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #12909: protect upload directory from web browsing

Submitted by:  Pierrick LE GALL <plg>
Submitted on:  Wed 28 Jan 2009 01:16:18 PM UTC  
 
Category: NoneSeverity: 1 - Wish
Priority: 5 - NormalStatus: None
Privacy: PublicAssigned to: Anthon Pang <vipsoft>
Open/Closed: Open

Mon 26 Apr 2010 03:24:14 PM UTC, comment #2:

OK vipsoft, that's fine for me, I've assigned the entry to you.

Pierrick LE GALL <plg>
Project Administrator
Tue 20 Apr 2010 08:30:32 PM UTC, comment #1:

It might be simpler to add pem/upload/.htaccess containing:

<Files "*">
Order Allow,Deny
Deny from all
</Files>
<Files ~ "\.(jpg|png)$">
Allow from all
Satisfy any
</Files>

Anthon Pang <vipsoft>
Project MemberIn charge of this item.
Wed 28 Jan 2009 01:16:18 PM UTC, original submission:

The upload directory should not be "browsable". As you can upload files inside, the permissions have to be "wide", it may attract intruders and let them upload unwanted files and browse them.

In the upload directory, a .htaccess file, with :

order allow,deny
deny from all

PEM source code should use readfile function for screenshots as it already does with the zip files.

Warning : we have to deal with existing remote clients (like plugin manager in PhpWebGallery)

Pierrick LE GALL <plg>
Project Administrator

 

No files currently attached

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by vipsoft (Posted a comment)
  • -unavailable- added by plg (Submitted the item)
  •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Please enter the title of George Orwell's famous dystopian book (it's a date):

     

     

    Follows 1 latest change.

    Date Changed By Updated Field Previous Value => Replaced By
    Mon 26 Apr 2010 03:24:14 PM UTCplgAssigned toplg=>vipsoft
    Show feedback again

    Back to the top


    Powered by Savane 3.1-cleanup