[pLog-svn] r6278 - in plog/branches/lifetype-1.2/class:data/validator misc test/tests/misc
Mark Wu
markplace at gmail.com
Sat Mar 29 16:31:31 EDT 2008
> > This issue only happened when user use the original file
> name format,
> > because it will keep the original name, just like "phpinfo.PHP"
> I was wondering if that were the case. I convinced
> myself that it could happen with encoded names too. The file
> is saved a 123.php or something, right? And then as long as
> you knew the name, you could still access it directly couldn't you?
>
Nope, you can't. After 1.1, we already add the .htaccess to deny the php
execution.
> > BTW, the apache document is wrong. The addType is
> "case-insensitive" ....
> Yes. I just verified on a 1and1 installation that .PHP
> works fine.
>
:(
> > So, 1.0 & 1.1 are okay. 1.2 with encoded file name is okay,too. But
> > 1.2 with original file name is not okay.
> I think the only reason that the encoded names are okay
> is because there is a strtolower on the extension during the
> upload? Otherwise, /gallery/1/1-69.PHP would still be
> accessible. There have been some different strtolower issues
> with resources recently, I am not sure if the current 1.2-dev
> encoded names are okay, but 1.2.6 would not be? I'll try to
> revert those changes and see if I can break it.
>
I use the 1.2-dev before your resources fix commits .... So .... I think
the encoded name will convert the extension name to lower case.
If the name does not convert to lower case, then the file can be acceess by
anyone.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list