Printable View
Hi, i'm working on a site where you can store pictures only (for now) but i also would like to support you by storing animations like swf files. But there's a problem some of the swf files contains data files and things like that, how can i prevent (with php) that when i show a movie to a user using a link om my page that the script writes files or data to my server?
pls anyone?
Hi,
if someone submits swf with text files, place it in its own folder
Dont accept swf with php or perl files unless you are willing to verify them (even if they are not designed to write to your server, they might contain errors increasing the server load :)
Musicman
So it's best to check them out before adding to the 'list'? cauze if there are 10.000 ppl adding swf files to my server i can't / wil check them out... isn't there something to fix for (to check the files?)
Hi,
allow only
swf
txt
zip (or other package format) containing swf and txt in same folder.
If someone needs server interaction, advise them to load a secondary movie from their own server and do the scripting there
Musicman
neat idea, i'll only grant access for swf files and nothing more!!... hoping that that's enough!Quote:
Originally posted by Musicman
Hi,
allow only
swf
txt
zip (or other package format) containing swf and txt in same folder.
If someone needs server interaction, advise them to load a secondary movie from their own server and do the scripting there
Musicman
Grtz
If you don't want to allow any swf interaction with the server, refuse any swf that require txt or other files.
Then, you can have your script place all uploaded swf files into a separate directory, and chmod both that directory and the uploaded swf files in that directory to a level on your server which will prevent malicious use (ask your admin for proper level, varies on some setups). Let the server do most of the work for you.
If you allow any server-swf interation without reviewing the fla or a decompilation first, you have no idea what the author may have hidden, nor what triggering mechanisms may be employed in the submitted swf file. Ex: Someone could submit a seemingly harmless swf file that has malicious code which is only triggered on a certain date by certain keypress combos.
I don't fully understand you (i'm dutch) but i understand that there is no way to do a check of what the .fla (swf) animation does fully... maby i only can grant access for reading that file and not other files :) or something.Quote:
Originally posted by JerryJ
If you don't want to allow any swf interaction with the server, refuse any swf that require txt or other files.
Then, you can have your script place all uploaded swf files into a separate directory, and chmod both that directory and the uploaded swf files in that directory to a level on your server which will prevent malicious use (ask your admin for proper level, varies on some setups). Let the server do most of the work for you.
If you allow any server-swf interation without reviewing the fla or a decompilation first, you have no idea what the author may have hidden, nor what triggering mechanisms may be employed in the submitted swf file. Ex: Someone could submit a seemingly harmless swf file that has malicious code which is only triggered on a certain date by certain keypress combos.
Hi,
unless you can place every swf into a subdomain of its own, or every swf gets a different htaccess protection, there is no way to restrict accesses from those swf's to any files on the server (and there is no way to stop people using their browser to access any of these files)
So, to make up some crazy scenarios: you have a forum on your site that uses cookie based login ... and someone uploads a swf that sends somebody's valid login to /forum/login.php (effectively logging in all visitors to the forum under one name) or a swf that asks for some non-existing file once per second (to create a heavy server load)
Both can hardly be prevented, and both could be classified as annoying rather than harmful
Musicman
Let me explain it on another way
users can now upload pictures onto my website for showing (publishing) them on the web (everywhere they like)
when users upload a swf file i won't want them to add a file or read files from the webserver, the animation may only show graphical art (that's included in the swf/fla file) nothing more nothing less, that's all..