SiT! Bugs

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000492SiT!otherpublic2009-02-12 17:422009-02-27 16:25
Assigned Toivan 
PrioritynormalSeverityblockReproducibilityhave not tried
PlatformOSOS Version
Product Version 
Target Version3.45Fixed in Version3.45 
Summary0000492: Need to secure attachments dir
DescriptionWe need a good way of securing the attachments dir. Whilst it's more secure now it goes through download.php and not directly linked, there's nothing to stop someone scanning through folders looking for obviously-named files.

We can ship .htaccess files (not IIS compatible) and tell people to move outside of web root but the only concrete solution seems to be to make sure the attachment folder isn't obviously named. We could md5 the current time at install and store that as $CONFIG['attachment_path'] in the database config table.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
User avatar (0000625)
ivan (administrator)
2009-02-12 22:39

Done in svn trunk r5097, although we need to provide upgrade instructions since this will only be implemented for new users.

- Issue History
Date Modified Username Field Change
2009-02-12 17:42 kieran New Issue
2009-02-12 20:44 ivan Status new => assigned
2009-02-12 20:44 ivan Assigned To => ivan
2009-02-12 22:39 ivan Note Added: 0000625
2009-02-12 22:39 ivan Status assigned => resolved
2009-02-12 22:39 ivan Resolution open => fixed
2009-02-12 22:39 ivan Fixed in Version => Current SVN
2009-02-27 13:54 ivan Fixed in Version Current SVN => 3.45
2009-02-27 16:25 ivan Status resolved => closed

Copyright © 2000 - 2021 MantisBT Team
Powered by Mantis Bugtracker