bugPEM - Bugs: bug #12909, protect upload directory from web...

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #12909: protect upload directory from web browsing

Submitted by:  Pierrick LE GALL <plg>
Submitted on:  Wed Jan 28 13:16:18 2009  
 
Category: NoneSeverity: 1 - Wish
Priority: 5 - NormalStatus: None
Privacy: PublicAssigned to: Anthon Pang <vipsoft>
Open/Closed: Open

Mon Apr 26 15:24:14 2010, comment #2:

OK vipsoft, that's fine for me, I've assigned the entry to you.

Pierrick LE GALL <plg>
Project Administrator
Tue Apr 20 20:30:32 2010, comment #1:

It might be simpler to add pem/upload/.htaccess containing:

<Files "*">
Order Allow,Deny
Deny from all
</Files>
<Files ~ "\.(jpg|png)$">
Allow from all
Satisfy any
</Files>

Anthon Pang <vipsoft>
Project MemberIn charge of this item.
Wed Jan 28 13:16:18 2009, original submission:

The upload directory should not be "browsable". As you can upload files inside, the permissions have to be "wide", it may attract intruders and let them upload unwanted files and browse them.

In the upload directory, a .htaccess file, with :

order allow,deny
deny from all

PEM source code should use readfile function for screenshots as it already does with the zip files.

Warning : we have to deal with existing remote clients (like plugin manager in PhpWebGallery)

Pierrick LE GALL <plg>
Project Administrator

 

No files currently attached

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by vipsoft (Posted a comment)
  • -unavailable- added by plg (Submitted the item)
  •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Error: not logged in

     

     

    Follows 1 latest change.

    Date Changed By Updated Field Previous Value => Replaced By
    Mon Apr 26 15:24:14 2010plgAssigned toplg=>vipsoft
    Show feedback again

    Back to the top


    Powered by Savane 3.1-cleanup