--- Greg Donald <destiney@xxxxxxxxx> wrote: > http://seclists.org/lists/security-basics/2004/Dec/0080.html Most of this is actually true. The one statement that is unclear is the following: "There are two kinds of flaws : - flaws inherent to the php langage itself, as seen before, in file uploads. - danger in uploading files at all on the server, not dependent on the langage used to handle the actual upload, but regarding the potential execution of uploaded files." This may have meant meant hypothetically, meaning that there are two areas where flaws could potentially exist - in the language or in the code. If this was meant to suggest that there are existing flaws in the language, then this is never justified. Another misleading suggestion is that all uploaded files should be stored outside of document root. Not only is this not possible in some cases (if your application depends on this for some reason), it's also not a large risk. The point to take from this, however, is that if you don't necessarily need a file within document root (and the only reason is that you need a URL to be associated with the file), don't put it there. A risk is still a risk, and an unnecessary risk is always a poor choice. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
