diff options
author | friendica <info@friendica.com> | 2013-10-28 18:43:49 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-10-28 18:43:49 -0700 |
commit | 5c98d5eaaed2cb342c7e823f5893c0d0d4e19de5 (patch) | |
tree | 92f982aaee4f7218aebab4255a3527c084718460 /include/reddav.php | |
parent | 4415ed78202c2d4b23375ac6737f9f6e49640b20 (diff) | |
download | volse-hubzilla-5c98d5eaaed2cb342c7e823f5893c0d0d4e19de5.tar.gz volse-hubzilla-5c98d5eaaed2cb342c7e823f5893c0d0d4e19de5.tar.bz2 volse-hubzilla-5c98d5eaaed2cb342c7e823f5893c0d0d4e19de5.zip |
doco
Diffstat (limited to 'include/reddav.php')
-rw-r--r-- | include/reddav.php | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/include/reddav.php b/include/reddav.php index 0f5204314..c24414610 100644 --- a/include/reddav.php +++ b/include/reddav.php @@ -15,6 +15,24 @@ class RedInode implements DAV\INode { function delete() { if(! perm_is_allowed($this->channel_id,'','view_storage')) return; + + /** + * Since I don't believe this is documented elsewhere - + * ATTACH_FLAG_OS means that the file contents are stored in the OS + * rather than in the DB - as is the case for attachments. + * Exactly how they are stored (what path and filename) are still + * TBD. We will probably not be using the original filename but + * instead the attachment 'hash' as this will prevent folks from + * uploading PHP code onto misconfigured servers and executing it. + * It's easy to misconfigure servers because we can provide a + * rule for Apache, but folks using nginx will then be susceptible. + * Then there are those who don't understand these kinds of exploits + * and don't have any idea allowing uploaded PHP files to be executed + * by the server could be a problem. We also don't have any idea what + * executable types are served on their system - like .py, .pyc, .pl, .sh + * .cgi, .exe, .bat, .net, whatever. + */ + if($this->attach['flags'] & ATTACH_FLAG_OS) { // FIXME delete physical file } |