[dokuwiki] Re: Problem uploading files
- From: Julio Biason <julio.biason@xxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Mon, 9 Jan 2006 20:18:55 -0200
On 09/01/06, Andreas Gohr <andi@xxxxxxxxxxxxxx> wrote:
> The whole thing works as intended. Only the string wikiname is a little
> bit misleading. The wikiname is a new filename in reality and this
> filename is checked for the correct extension. This is to prevent for
> example uploading files with the extension .php and thus creating a
> possibility to inject your own code by uploading a file. Imagine
> uploading a file test.txt but naming it test.php - if DokuWiki would
> check original file extension it would allow the upload but save it with
> a php extension which (under some circumstances) could be executed
> through apache. So "wikiname" just means "filename with correct
> extension and specialchars removed". Maybe this should be made clear in
> the docs.
Hm... But that would also allow people to upload a wmf file and name
it gif (yeah, it is kind a joke).
Shouldn't the original name checked? I mean, if you block php files
but not txt files and upload a php file with txt extension, apache
would not process it (as it didn't have the correct extension).
[I'm not trying to push my point, I could have fixed it myself -- and,
right now, I'm uploading files with the suggested wikiname -- I just
want to explore the posibilities.]
--
Julio Biason <julio.biason@xxxxxxxxx>
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
