From: Tom von Alten (Tom_vonAlten@boi.hp.com)
Date: Mon Apr 19 1999 - 11:08:14 CDT
Daniel Stenberg wrote:
> I am aware that the current way of storing attachments using the supplied
> name may offer ways to screw up the web server, such as your .htaccess
> example. However, instead of disabling the feature I would rather like to
> hear suggestions on how to avoid the risks.
Here are some suggestions:
1) For ease of file management, our local modification of v1 used a
subdirectory tree for attachments. If message 0123.html had attachments,
for example, they'd be put into a
archive/.attachments/0123/
directory. This would have the side benefit of limiting the scope of
potential mischief.
2) If it is desired to keep attachments in a flat directory with the
archive, a specific set of names (.htaccess is the only one that jumps out
at me, but no doubt there are others) could be excluded.
3) The local sysadmin could touch an .htaccess file and set the permissions
such that hypermail could not overwrite it. Similarly, for any other
reserved names.
Item (2) might still be desireable if (1) is implemented, to protect the
.attachments/NNNN/ subdirectories.
_____________ Hewlett-Packard Computer Peripherals Bristol
Tom von Alten mailto:Tom_vonAlten@boi.hp.com
This posting is for informational purposes only.
It is not a statement of the Hewlett-Packard Co.