The FreeBSD Diary

(TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.

Article Feedback - ZFS: do not give it all your HDD

New Topic | Go to Top | Go to Topic | Search | Log In

Previous Message | Next Message

Security issues with this script

Author: C Morris
Date: 17-01-03 19:42

It seems to me there are 2 issues with this script:

1) The size of the uploaded file is checked _after_ the upload has been done. If it is too large it is removed. However, by this time the file has already been written to disk. The ramifications here are significant.

For example:

MAXIMUM_UPLOAD = 100M
WWW partition size = 500M

User uploads a 5GB file. Since the file size is checked _after_ the upload the available disk space on the www partition has been filled. Potential server crash.

2) No maximum specified on number of files that can be uploaded.
Similar to the previous issue.

For example:

MAXIMUM_UPLOAD = 100M
www partition size = 500M

User Upload 10 x 100M files. Same result as issue 1.

These issues are not insurmountable but they should be taken into consideration by anyone who plans to post this script to their www server. Beware of blindly adding 3rd party scripts to your http server.

Reply To This Message | Forum List | Flat View

Newer Topic | Older Topic

Topics Author Date

Security issues with this script new

C Morris 17-01-03 19:42

Re: Security issues with this script new

Russ 21-06-10 07:45

How to get the most out of the forum