[Openfontlibrary] ccHost compression
Brendan Ferguson
drsassafras at gmail.com
Tue Nov 4 10:16:51 PST 2008
> We can set the webserver to send files for download, so neither the
> webserver or webbrowser will interpret them.
I imagine that even if the files are set for download, they will be
interpreted. If say I setup a GIF for PHP to run through it, and then
force the download header, it will probably download a intreated GIF.
Now if you changed the type of file to say text, this might work...
Probably. But you will not be able to view any of the images any more,
the browser would be treating them like text. :(
There is apache configs that can disable PHP and CGI directory
specific though. I just spent some time plying with them. It seems as
though we will have to put them in our own server config files. They
are not universally accepted in .htaccess files.
I can see if I can change the permissions of the files that are
uploaded so there is read and write access, but not execution access.
Not sure if this will work, but worth a try.
Other than that, we will just have to rely on our blacklist, which
should also disable some windows executables to prevent people from
uploading viruses, which will not effect the server, but when
downloaded could effect the clients.
Another option, which I am really not up to coding, would be to rename
the files when they are downloaded and use a database to connect all
the original file names with the randomly generated file names we
rename them all to. Then we never link directly to any file, but use a
script to send the files when they are asked for. This way even if
someone got something ugly up on to the server, and they did some how
have execution permissions, they would not know what file to call.
More information about the Openfontlibrary
mailing list