atom feed2 messages in org.apache.lenya.userRe: File upload and security
FromSent OnAttachments
Jann ForrerApr 25, 2005 1:38 pm 
Gregor J. RothfussApr 25, 2005 2:02 pm 
Subject:Re: File upload and security
From:Gregor J. Rothfuss (gre@apache.org)
Date:Apr 25, 2005 2:02:25 pm
List:org.apache.lenya.user

Jann Forrer wrote:

Hi

Up to now, the file upload in lenya is restricted to certain files based on the file suffix. We recently had a discussion to cancel this restriction out i.e to enable an upload for all file types. I am personnally not sure whether this is a good idea. I mainly have security concerns. However i did not investigate this question in more detail yet. Does anybody have a more detailed argument concerning this questions.

the main reason this is there is to restrict the upload to well-known filetypes that we know how to handle in resources.xmap. while we could do an application/octet-stream fallback, i am not sure if that would work well. maybe cocoon needs a simpler way to define mime types..

i do not think the file type has much to do with security.

P.S. BTW, for our other java applications, tomcat runs under a security manager (but up to now, i did not try to run lenya under a security manager) which allow a very fine tuning concerning security.

http://blog.reverycodes.com/archives/000035.html

let us know if you get it to work