[Gllug] apache question

Alain Williams addw at phcomp.co.uk
Sat Apr 15 13:55:22 UTC 2006


On Sat, Apr 15, 2006 at 02:50:26PM +0100, Richard Jones wrote:

> Have you validated the names they supply?  I mean, what happens if
> they upload a file called "../../../../var/www/index.html".  What
> happens if they UTF-8 encode the slashes using illegal long-forms of
> encoding?

Validation is quite simple, the name has to start alphanumeric & can
only contain a few extra chars thereafter. I use the perl regex:

	/^\w[-\w\.]+$/i

> Basically, having people upload files to webservers and writing those
> files to disk is a BAD idea.  It's very hard to get it right, and
> mistakes can be damaging.

Which is why I asked the question.

> A better, safer, idea is to put the files into a database.  With
> PostgreSQL you can just use a BYTEA field to store arbitrary data.
> Then your URLs can look like:
> 
>   /download_file.pl?id=1234
> 
> (or with some mod_rewriting, like /downloads/1234) and your download
> script can deliver a suitable MIME type, without fear that anything
> will get executed on the server.

Hmmm, maybe. I am trying to KISS.
I also want the URL to ''look'' right to the end users for this.

-- 
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/

#include <std_disclaimer.h>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list