[pLog-svn] r6276 - in plog/branches/lifetype-1.2/class: data/validator misc template test/tests/misc

Jon Daley plogworld at jon.limedaley.com
Sat Mar 29 17:22:15 EDT 2008 

 	Yeah, that's alright.  I would be happier if we had an .htaccess 
file to protect it, instead of depending on the validator code.

On Sun, 30 Mar 2008, Mark Wu wrote:
> For 1.2, I think we can do this way.
>
> But, for 2.0, I really consider jusy remove the backlist, and only allow
> whitelist
>
> This is easier for us to improve the security of gallery.
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>> Sent: Sunday, March 30, 2008 5:17 AM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] r6276 - in
>> plog/branches/lifetype-1.2/class: data/validator misc
>> template test/tests/misc
>>
>> On Sat, 29 Mar 2008, Jon Daley wrote:
>>> How about getting apache to allow serve the content as a binary
>>> application with a forcetype or something?
>>
>> There is RemoveHandler, but I think we end up in the same
>> place as the others - either you can't blacklist all of the
>> executable programs without being prone to missing some, and
>> whitelisting useful extensions seems kind of hard.
>>
>> I just went to check to see how wordpress does it, and it
>> turns out they are significantly worse off than we are.  I'll
>> file a bug with them.
>> Perhaps my attacker wasn't specifically attacking lifetype,
>> but knew that lots of resource uploaders don't work well in
>> the validation department.
>>
>> Maybe we could make the gallery .htaccess a little better,
>> and then leave some stuff commented where people can make it
>> more secure if they would like.
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com/

God is holy.  You are not.
-- Harvest 2000

More information about the pLog-svn mailing list