how should we handle abuse?

No longer supported!

Moderator: Moderators

Postby miker_alpha » Mon Aug 01, 2005 7:41 am

amec wrote:
Most of the file-types contain some header info. But for this, you should validate the files based on the header and not on a string that usually can be found in the file. ANother thing would be to look in HTML files to be sure that they do not contain parts encoded and which are decoded upon accessing them



WRT OpenVMS: Text-type files (including straight text, HTML etc.) have file attributes, record format structure... which differentiate them from binary (such as executable) files.

OTOH checking the internal structure of HTML files would mean writing the equivalent of a parser/compiler, and that would be to protect a user who opens an unknown web page with Java enabled. Javascript intrinsically protects the user by running in a "sandbox", so it should not be able to do permanent damage.

What did you mean by "based on the header"? Un*x files have no meta-data stored other than their actual contents, and under OpenVMS files like GIF or JPEG may have any of several attributes, as the Apache server reads them one-byte-at-a-time (IIRC) not record-by-record.

Suggestions for a list of permitted files would be gratefully considered.

May the great bird of the universe roost upon your planet!

MikeR
Look for OpenVMS help on my webpage
Check for QOTD here.
Image
User avatar
miker_alpha
Moderator
Moderator
 
Posts: 256
Joined: Sat May 08, 2004 9:20 am
Location: Kibbutz Tzora, Israel

Postby pdl » Sun Aug 07, 2005 5:19 am

If you only allow specified file upload, when technology arises (XML, XHTML etc.), how come?

And for php file though: they might include HTML code, JPG, JPE, EXE (MIME encode) and everything... Could you imagine a Polarhome without php?
pdl
Newbie
 
Posts: 4
Joined: Sun Aug 07, 2005 4:56 am

Previous

Return to FTP accounts

Who is online

Users browsing this forum: No registered users and 5 guests

cron