[pLog-svn] r6278 - in plog/branches/lifetype-1.2/class:data/validator misc test/tests/misc

[Mark Wu]

> > This issue only happened when user use the original file 
> name format, 
> > because it will keep the original name, just like "phpinfo.PHP"
>  	I was wondering if that were the case.  I convinced 
> myself that it could happen with encoded names too.  The file 
> is saved a 123.php or something, right?  And then as long as 
> you knew the name, you could still access it directly couldn't you?
> 
Nope, you can't. After 1.1, we already add the .htaccess to deny the php
execution.

> > BTW, the apache document is wrong. The addType is 
> "case-insensitive" ....
>  	Yes.  I just verified on a 1and1 installation that .PHP 
> works fine.
> 

:(

> > So, 1.0 & 1.1 are okay. 1.2 with encoded file name is okay,too. But 
> > 1.2 with original file name is not okay.
>  	I think the only reason that the encoded names are okay 
> is because there is a strtolower on the extension during the 
> upload?  Otherwise, /gallery/1/1-69.PHP would still be 
> accessible.  There have been some different strtolower issues 
> with resources recently, I am not sure if the current 1.2-dev 
> encoded names are okay, but 1.2.6 would not be?  I'll try to 
> revert those changes and see if I can break it.
> 

I use the 1.2-dev before your resources fix commits  .... So .... I think
the encoded name will convert the extension name to lower case.

If the name does not convert to lower case, then the file can be acceess by
anyone.

> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn