7938 Posts in 1466 Topics by 943 members
|Go to End|
7 July 2011 at 2:24am
I got a 302 error from Uploadify when running on a Zeus server, and solved it with UploadifyField::disable_authentication();
To what extent does this comprise a security problem? I presume anyone can upload files and hence cause DoS, but are there any other implications?
8 July 2011 at 9:09am
Good question. The problem is that the Flash request starts a new session on the server, so you lose your authentication unless you apply some trickery. The trickery doesn't always work, which is why the next best option is to disable the authentication and route the upload to a publicly exposed controller.
If you look at UploadifyUploader.php, you'll see it's a public controller that, in theory, could be gamed to add files to your system. It's unlikely, but possible. If someone created a post request containing "Filedata" and "FolderID", it could be used maliciously, especially if someone was able to upload a script. But in reality you should not have execute permissions on user uploaded files, anyway. Many websites have public-facing forms that feature uploads and deal with these issues all the time.
So that's pretty much it. I'm always looking for better ways to do this, but until HTML5 gets more support, we're kind of stuck with the plethora of concessions we make for Flash originated uploads.
SilverStripe tips, tutorials, screencasts and more: http://www.leftandmain.com
|Go to Top|