XUpload - Stopping the "post" of the target_dir

Message
Author
Guest
Posts: 18
Joined: Jan 30, 2007 10:41 pm

Stopping the "post" of the target_dir

#1 Postby Guest » Feb 01, 2007 8:10 pm

I'm about to go live with my site, but still have one small problem!

When I do a "packet sniff" on the variables posted when the upload is done, the variable target_dir is shown.

Now when a "smart" users wants he can get the direct URL of the just uploaded file!

I really do not need the target_dir to be posted back from the cgi script.

Is it possible to stop this variable getting posted back to the "post.php" ??
Last edited by Guest on Feb 01, 2007 11:11 pm, edited 1 time in total.

Guest
Posts: 18
Joined: Jan 30, 2007 10:41 pm

#2 Postby Guest » Feb 01, 2007 8:20 pm

Nevermind.. I found the place to hack it :-)

In post.cgi

change

Code: Select all

push @har, { name=>'target_dir',      value=>$c->{target_dir}, 'style'=>2 };
to

Code: Select all

# push @har, { name=>'target_dir',      value=>$c->{target_dir}, 'style'=>2 };

torgospizza
Posts: 4
Joined: Nov 03, 2006 12:44 am

#3 Postby torgospizza » Jan 18, 2008 11:27 pm

This was my issue I found today too. I think echoing the ext_folder is enough (since this will be relative to your path specified in Config).

Echoing the entire local, absolute path is a security issue. There's no reason to send the entire path to the browser (which is easily picked up in Firefox using "Live HTTP Headers" Plugin). I recommend removing that line from the next version of XUpload. (Or making it optional, turned off by default).

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#4 Postby PilgrimX182 » Jan 21, 2008 8:09 am

Yes. You are totally correct. Already got rid of it in current developent code.