This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.
Please use forum.silverstripe.org for any new questions
(announcement).
The forum archive will stick around, but will be read only.
You can also use our Slack channel
or StackOverflow to ask for help.
Check out our community overview for more options to contribute.
Discuss the DataObjectManager module, and the related ImageGallery module.
Moderators: martimiz, UncleCheese, Sean, Ed, biapar, Willr, Ingo, swaiba
Hi,
I got a 302 error from Uploadify when running on a Zeus server, and solved it with UploadifyField::disable_authentication();
To what extent does this comprise a security problem? I presume anyone can upload files and hence cause DoS, but are there any other implications?
thanks,
-- Tim.
Good question. The problem is that the Flash request starts a new session on the server, so you lose your authentication unless you apply some trickery. The trickery doesn't always work, which is why the next best option is to disable the authentication and route the upload to a publicly exposed controller.
If you look at UploadifyUploader.php, you'll see it's a public controller that, in theory, could be gamed to add files to your system. It's unlikely, but possible. If someone created a post request containing "Filedata" and "FolderID", it could be used maliciously, especially if someone was able to upload a script. But in reality you should not have execute permissions on user uploaded files, anyway. Many websites have public-facing forms that feature uploads and deal with these issues all the time.
So that's pretty much it. I'm always looking for better ways to do this, but until HTML5 gets more support, we're kind of stuck with the plethora of concessions we make for Flash originated uploads.
--------------------
SilverStripe tips, tutorials, screencasts and more: http://www.leftandmain.com
