I'm working on a module which will allow end users to upload files and I realized there is a security risk. For instance, a user could upload a malicious PHP script to perform nasty stuff on the server. My solution to this is to allow the administrator to enter a list of file extensions to allow, or enter a list of file extensions to block.
I'd like to know what the other module developers think is the best way to go, and get a feel for what users would prefer.
Thanks!
Forum Activity
- shyra posted »MenuTree Mystery« 19:50h
- dks answered »include a file« 18:22h
- dks answered ».764 -> 1.1.1, Can't add new blocks« 17:33h
- craigh posted »PostCalendar 5.5.0RC1 needs testers and translators« 17:24h
- bartl answered »Upgrading 1.0.2 --> 1.1.1« 15:02h
- Charlie-otb answered »SafeHTML output filter and youtube« 10:02h
- dl7und answered »Adding an "About Us" page« 03:34h
Login
Allowed vs Restricted File Extensions
-
- Rank: Helper
- Registered: 17.10.02
- last visit: 23.01.07
- Posts: 192
Posted: 04.07.2005, 16:01
-
- Rank: Helper
- Registered: 15.11.04
- last visit: 12.03.07
- Posts: 387
Posted: 04.07.2005, 16:08
I'm for allowed extensions. It's much easier to say ".doc, .jpg, and .tiff" than "everything but .exe and .zip and .gzip etc etc etc," because there are a lot of extensions that would put the site at a security risk, and it's hard to keep track of all of them. Best I think to just disallow everything but a handful of special extensions. -
- Rank: Helper
- Registered: 30.11.04
- last visit: 20.09.08
- Posts: 401
Posted: 04.07.2005, 19:27
i would go for a list of allowed extensions,
- Moderated by :
- Support
