[Gllug] apache question
Alain Williams
addw at phcomp.co.uk
Sat Apr 15 13:55:22 UTC 2006
On Sat, Apr 15, 2006 at 02:50:26PM +0100, Richard Jones wrote:
> Have you validated the names they supply? I mean, what happens if
> they upload a file called "../../../../var/www/index.html". What
> happens if they UTF-8 encode the slashes using illegal long-forms of
> encoding?
Validation is quite simple, the name has to start alphanumeric & can
only contain a few extra chars thereafter. I use the perl regex:
/^\w[-\w\.]+$/i
> Basically, having people upload files to webservers and writing those
> files to disk is a BAD idea. It's very hard to get it right, and
> mistakes can be damaging.
Which is why I asked the question.
> A better, safer, idea is to put the files into a database. With
> PostgreSQL you can just use a BYTEA field to store arbitrary data.
> Then your URLs can look like:
>
> /download_file.pl?id=1234
>
> (or with some mod_rewriting, like /downloads/1234) and your download
> script can deliver a suitable MIME type, without fear that anything
> will get executed on the server.
Hmmm, maybe. I am trying to KISS.
I also want the URL to ''look'' right to the end users for this.
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include <std_disclaimer.h>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list