This is the bug tracker for Photo Organizer.
FS#319 - Enhance local filesystem uploads to be secure and universal.
Attached to Project:
Photo Organizer
Opened by Solomon Peachy (pizza) - Thursday, 31 January 2008, 15:10 GMT
Last edited by Solomon Peachy (pizza) - Sunday, 02 March 2008, 00:30 GMT
Opened by Solomon Peachy (pizza) - Thursday, 31 January 2008, 15:10 GMT
Last edited by Solomon Peachy (pizza) - Sunday, 02 March 2008, 00:30 GMT
|
DetailsCurrently the user specifies a path. This grants the user full access to anything on the filesystem that the webserver can access.
To allow this feature for everyone without giving away the security farm, there has to be a non-modifiable per-user upload path. $bulk_upload_base = '/var/po/uploads/%u/'; /* %u gets replaced with userid or username */ Problems: 1) Mechanism for uploading files needs to map to a PO user (and hence the path) and disallow access to other users' files -- this is more complicated when you consider: 2) Files need to be deletable by the web server's user -- as files are imported, they must be removed from the 'upload path'. (2) can be sort-of worked around by making the directories group-writable by the webserver, but the problem of subdirs still applies. (1) Is entirely site-specific. In the end, perhaps as part of the user creation process, upload subdirs are created for each user, and it's up to the site admin to figure out how to do it. |
This task depends upon
Closed by Solomon Peachy (pizza)
Sunday, 02 March 2008, 00:30 GMT
Reason for closing: Implemented
Additional comments about closing: r1949.
Sunday, 02 March 2008, 00:30 GMT
Reason for closing: Implemented
Additional comments about closing: r1949.