I'm about to go live with my site, but still have one small problem!
When I do a "packet sniff" on the variables posted when the upload is done, the variable target_dir is shown.
Now when a "smart" users wants he can get the direct URL of the just uploaded file!
I really do not need the target_dir to be posted back from the cgi script.
Is it possible to stop this variable getting posted back to the "post.php" ??
XUpload - Stopping the "post" of the target_dir
Stopping the "post" of the target_dir
Last edited by Guest on Feb 01, 2007 11:11 pm, edited 1 time in total.
Nevermind.. I found the place to hack it
In post.cgi
change
to
In post.cgi
change
Code: Select all
push @har, { name=>'target_dir', value=>$c->{target_dir}, 'style'=>2 };
Code: Select all
# push @har, { name=>'target_dir', value=>$c->{target_dir}, 'style'=>2 };
-
- Posts: 4
- Joined: Nov 03, 2006 12:44 am
This was my issue I found today too. I think echoing the ext_folder is enough (since this will be relative to your path specified in Config).
Echoing the entire local, absolute path is a security issue. There's no reason to send the entire path to the browser (which is easily picked up in Firefox using "Live HTTP Headers" Plugin). I recommend removing that line from the next version of XUpload. (Or making it optional, turned off by default).
Echoing the entire local, absolute path is a security issue. There's no reason to send the entire path to the browser (which is easily picked up in Firefox using "Live HTTP Headers" Plugin). I recommend removing that line from the next version of XUpload. (Or making it optional, turned off by default).
- PilgrimX182
- Posts: 2186
- Joined: Mar 22, 2006 1:39 pm