[pLog-svn] r6276 - in plog/branches/lifetype-1.2/class: data/validator misc template test/tests/misc
Mark Wu
markplace at gmail.com
Sat Mar 29 17:18:41 EDT 2008
For 1.2, I think we can do this way.
But, for 2.0, I really consider jusy remove the backlist, and only allow
whitelist
This is easier for us to improve the security of gallery.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Sunday, March 30, 2008 5:17 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] r6276 - in
> plog/branches/lifetype-1.2/class: data/validator misc
> template test/tests/misc
>
> On Sat, 29 Mar 2008, Jon Daley wrote:
> > How about getting apache to allow serve the content as a binary
> > application with a forcetype or something?
>
> There is RemoveHandler, but I think we end up in the same
> place as the others - either you can't blacklist all of the
> executable programs without being prone to missing some, and
> whitelisting useful extensions seems kind of hard.
>
> I just went to check to see how wordpress does it, and it
> turns out they are significantly worse off than we are. I'll
> file a bug with them.
> Perhaps my attacker wasn't specifically attacking lifetype,
> but knew that lots of resource uploaders don't work well in
> the validation department.
>
> Maybe we could make the gallery .htaccess a little better,
> and then leave some stuff commented where people can make it
> more secure if they would like.
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list