[pLog-svn] r6278 - in plog/branches/lifetype-1.2/class:data/validator misc test/tests/misc
Mark Wu
markplace at gmail.com
Sat Mar 29 16:20:15 EDT 2008
Danm ......
This issue only happened when user use the original file name format,
because it will keep the original name, just like "phpinfo.PHP"
If user use the encoded name, this problem won't happened.
BTW, the apache document is wrong. The addType is "case-insensitive" ....
I can execute phpinfo.PHP without any problems.
So, 1.0 & 1.1 are okay. 1.2 with encoded file name is okay,too. But 1.2 with
original file name is not okay.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Sunday, March 30, 2008 4:09 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] r6278 - in
> plog/branches/lifetype-1.2/class:data/validator misc test/tests/misc
>
> Looks good to me. Can you confirm that your host was
> vulnerable to this - ie. can you upload a test.PHP to your
> gallery without the recent changes? (ie. it'd be nice to
> have in our announcement that it doesn't affect that many
> people, rather than affecting everyone...)
>
> On Sun, 30 Mar 2008, Mark Wu wrote:
> > Can you test it? It works for me and also pass unit test, too.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list