[pLog-svn] r6278 - in plog/branches/lifetype-1.2/class:data/validator misc test/tests/misc
Jon Daley
plogworld at jon.limedaley.com
Sat Mar 29 16:26:01 EDT 2008
On Sun, 30 Mar 2008, Mark Wu wrote:
> This issue only happened when user use the original file name format,
> because it will keep the original name, just like "phpinfo.PHP"
I was wondering if that were the case. I convinced myself that it
could happen with encoded names too. The file is saved a 123.php or
something, right? And then as long as you knew the name, you could still
access it directly couldn't you?
> BTW, the apache document is wrong. The addType is "case-insensitive" ....
Yes. I just verified on a 1and1 installation that .PHP works
fine.
> So, 1.0 & 1.1 are okay. 1.2 with encoded file name is okay,too. But 1.2 with
> original file name is not okay.
I think the only reason that the encoded names are okay is because
there is a strtolower on the extension during the upload? Otherwise,
/gallery/1/1-69.PHP would still be accessible. There have been some
different strtolower issues with resources recently, I am not sure if the
current 1.2-dev encoded names are okay, but 1.2.6 would not be? I'll try
to revert those changes and see if I can break it.
More information about the pLog-svn
mailing list