Ticket #275 (closed enhancement: fixed)

Opened 13 years ago

Last modified 13 years ago

Security: have server side uploader add random text to file name

Reported by: kmaclean Owned by: kmaclean
Priority: major Milestone: SpeechSubmission 0.1.1
Component: SpeechSubmission Version: SpeechSubmission 0.1
Keywords: Cc:

Description (last modified by kmaclean) (diff)

Security:

have server side uploader add random text to file name

to prevent: Local file inclusion attacks

Even though uploaded files are outside of the web root where they cannot be accessed and executed directly, if the attacker is able to upload files, even outside the web root, and he knows the name and location of the uploaded file, by "including" his uploaded file he can run arbitrary code on the server.

see ticket #183 - Security: Write only upload dir, script to move to a read only dir

File displayer removes random text from filename on display

that way, attacker doesn't know actual filename on the server

Change History

comment:1 Changed 13 years ago by kmaclean

  • Description modified (diff)

comment:2 Changed 13 years ago by kmaclean

  • Milestone changed from SpeechSubmission 0.1.3 to SpeechSubmission 0.1.2

comment:3 Changed 13 years ago by kmaclean

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.