Posts: 3,616
Threads: 287
Joined: Jan 2003
Yeah, I'll filter the URLs to make sure that they have the extension .BAS or .ZIP.
But there's a problem with filtering certain words...What if you have a program that imitates a sexton? :lol:
f only life let you press CTRL-Z.
--------------------------------------
Freebasic is like QB, except it doesn't suck.
Posts: 2,771
Threads: 96
Joined: Oct 2003
I think maybe you are a little paranoid! :wink:
Oracle has file uploading, and im sure he doesnt get much junk. Oracle?
Posts: 3,343
Threads: 83
Joined: Mar 2003
Nope, I don't get much junk. And the script I gave to Zack filters based on extension type so he can say that only .txt, .bas and .zip are allowed. I did once have somebody upload a php script that was supposed to delete everything but they had to name it to .txt so the server did not execute it.
Posts: 3,616
Threads: 287
Joined: Jan 2003
I think I've worked it out...
Two seperate sections: "Reliables" which I add, and "User Files" which users ADD LINKS TO. Not upload.
f only life let you press CTRL-Z.
--------------------------------------
Freebasic is like QB, except it doesn't suck.
Posts: 2,771
Threads: 96
Joined: Oct 2003
Quote:I did once have somebody upload a php script that was supposed to delete everything but they had to name it to .txt so the server did not execute it.
Ouch! Nasty! That would have been wicked bad if that happened! Im surprised that there is an exploit that big. Are you meaning it would delete all the MySql database tables and data? I thought that it requires a password to run a script accessing your database. Or do you keep the db connection open all the time in your website?
Im confused...
Posts: 3,616
Threads: 287
Joined: Jan 2003
Hm, yeah.
Oracle, maybe you should have a folder non-accesible from the public that your uploads go into.
f only life let you press CTRL-Z.
--------------------------------------
Freebasic is like QB, except it doesn't suck.
Posts: 3,343
Threads: 83
Joined: Mar 2003
Quote:Ouch! Nasty! That would have been wicked bad if that happened! Im surprised that there is an exploit that big. Are you meaning it would delete all the MySql database tables and data? I thought that it requires a password to run a script accessing your database. Or do you keep the db connection open all the time in your website?
Im confused...
No, it wouldn't delete any databases, just all the actual html files using unlink().
Zack: The folder, by virtue of having to be able to be written into, must be CHMODed to 777, thus accessable to the public. But things like checking extensions and renaming files when they are uploaded will plug all the major gaps I can think of by having a public folder.
Posts: 614
Threads: 87
Joined: Aug 2001
Erm perhaps you should put the uploads folder out of the web tree. i.e. on rpg-dev.net all of my files go in /home/rpg-dev/. If I want to be able to access something from the web I have to put it in /home/rpg-dev/public_html/. So, if I were to allow uploads (which I won't for bandwidth reasons but thats not the point heh) I would put them all in /home/rpg-dev/uploads/ so that anything the user uploads cannot be access from the users web browser.
Posts: 3,616
Threads: 287
Joined: Jan 2003
Fling: Precisely what I meant.
f only life let you press CTRL-Z.
--------------------------------------
Freebasic is like QB, except it doesn't suck.
Posts: 3,343
Threads: 83
Joined: Mar 2003
I'll see if I can put my uploads out of the dir tree...