You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@lenya.apache.org by Jann Forrer <ja...@id.unizh.ch> on 2005/04/25 22:38:43 UTC
File upload and security
Hi
Up to now, the file upload in lenya is restricted to certain files based
on the file suffix. We recently had a discussion to cancel this
restriction out i.e to enable an upload for all file types.
I am personnally not sure whether this is a good idea. I mainly have
security concerns. However i did not investigate this question in more
detail yet.
Does anybody have a more detailed argument concerning this questions.
Jann
P.S. BTW, for our other java applications, tomcat runs under a security
manager (but up to now, i did not try to run lenya under a security
manager) which allow a very fine tuning concerning security.
---------------------------------------------------------------
Jann Forrer
Informatikdienste
Universität Zürich
Winterthurerstr. 190
CH-8057 Zuerich
oooO mail: jann.forrer@id.unizh.ch
( ) phone: +41 1 63 56772
\ ( fax: +41 1 63 54505
\_) http://www.id.unizh.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: File upload and security
Posted by "Gregor J. Rothfuss" <gr...@apache.org>.
Jann Forrer wrote:
> Hi
>
> Up to now, the file upload in lenya is restricted to certain files based
> on the file suffix. We recently had a discussion to cancel this
> restriction out i.e to enable an upload for all file types.
> I am personnally not sure whether this is a good idea. I mainly have
> security concerns. However i did not investigate this question in more
> detail yet.
> Does anybody have a more detailed argument concerning this questions.
the main reason this is there is to restrict the upload to well-known
filetypes that we know how to handle in resources.xmap. while we could
do an application/octet-stream fallback, i am not sure if that would
work well. maybe cocoon needs a simpler way to define mime types..
i do not think the file type has much to do with security.
> P.S. BTW, for our other java applications, tomcat runs under a security
> manager (but up to now, i did not try to run lenya under a security
> manager) which allow a very fine tuning concerning security.
http://blog.reverycodes.com/archives/000035.html
let us know if you get it to work
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org