[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] php upload_tmp_dir & sanity

Subject: [cobalt-security] php upload_tmp_dir & sanity
From: Jaana Jarve <netcat@xxxxxxxxx>
Date: Tue, 12 Aug 2003 21:18:34 +0300 (EEST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

i'd be interested to know where raq4 owners keep their upload_tmp_dir
these days.

it was recently brought to my attention that the uploaded files don't
get the proper site gid after being moved under site directories.
since system default is to use /tmp (symlinked to /home/tmp) the group
would be root.
this doesn't look especially sane to me. besides obvious security
concerns, users could upload to their hearts desire without it ever
affecting their quota.

other opinions? it looks to me the best bet is to set ./tmp in php.ini.
does that have any negative sides to it?

rgds,
netcat

Prev by Date: RE: [cobalt-security] test for echo
Next by Date: Re: [cobalt-security] test for echo
Previous by thread: RE: [cobalt-security] test for echo
Next by thread: [cobalt-security] RE: Lovsan Worm

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index