On Wed, May 17, 2006 11:40 am, Richard Collyer wrote: > Richard Lynch wrote: >> On Mon, May 15, 2006 1:58 am, Jason Wong wrote: >>> 2) the uploaded file is a "script" (perl/php/python/etc) >> >>> In the case of (2), if the script relies on its shebang line to >>> execute >> >> Not necessarily -- What if I upload an "image" file named >> "badscript.php" and then I surf to it, after it's in your /images >> directory? > > Couldn't you just use the apache directory option to make sure that > php > can't be executed from the /images directory... wonder if that is > possible. Yes... But suppose tomorrow you copy that perfectly wonderful script to let your family upload their "pictures" and you put them in /pictures with a couple quick changes in the script, because you don't want their vacation shots mingled in with your web /images Now, are you going to 100% for sure remember to change the Directory /pictures as well? I *know* I would not remember to do that. Security only really works when it's repeatable, maintainable, and so damned easy that it's more work to NOT do it than it is TO do it. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
