Ticket #390 (new defect)

Opened 3 months ago

Prevent uploading files with dot prefix (e.g.: .htaccess)

Reported by: rho Assigned to: nobody
Priority: highest Milestone: 0.9.1
Component: core Version: 0.9.1
Severity: critical Keywords:
Cc: misja Patch Included: 0
Review Stage: unreviewed

Description

By default, elgg 0.9.x ships data directory within root directory accessbile by web, mailicious users can upload a .htaccess file and disable rewrite engine in his files (data/files/u/username/)

Attachments

remove_start_dot_upload_filename.patch (426 bytes) - added by rho on 08/21/08 16:28:20.

Change History

08/21/08 16:28:20 changed by rho

  • attachment remove_start_dot_upload_filename.patch added.