[Gllug] apache question
Richard Jones
rich at annexia.org
Sat Apr 15 13:50:26 UTC 2006
On Sat, Apr 15, 2006 at 01:59:52PM +0100, Alain Williams wrote:
> I moaned to people to NOT put large attachments in email, but to put
> up links instead. OK they said, but we don't have access to a web
> server where we can put things. I have written a simple email
> handling script that saves files on a web server and returns them a
> URL that they can put into email to others on the mail list.
>
> It works well. It then occurred to me what happens if they put up a
> file: delete_everything.php ?
>
> Question: how to I get Apache to serve up all files in a particular
> directory as straight files, no trying to run as a CGI or whatever ?
>
> I want to allow that to still work in other directories.
>
> I have played with a few Options but have not got anywhere ...
>
> Suggestions SVP
Have you validated the names they supply? I mean, what happens if
they upload a file called "../../../../var/www/index.html". What
happens if they UTF-8 encode the slashes using illegal long-forms of
encoding?
Basically, having people upload files to webservers and writing those
files to disk is a BAD idea. It's very hard to get it right, and
mistakes can be damaging.
A better, safer, idea is to put the files into a database. With
PostgreSQL you can just use a BYTEA field to store arbitrary data.
Then your URLs can look like:
/download_file.pl?id=1234
(or with some mod_rewriting, like /downloads/1234) and your download
script can deliver a suitable MIME type, without fear that anything
will get executed on the server.
Rich.
--
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list