From 5c98d5eaaed2cb342c7e823f5893c0d0d4e19de5 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Mon, 28 Oct 2013 18:43:49 -0700
Subject: doco

---
 include/reddav.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'include/reddav.php')

diff --git a/include/reddav.php b/include/reddav.php
index 0f5204314..c24414610 100644
--- a/include/reddav.php
+++ b/include/reddav.php
@@ -15,6 +15,24 @@ class RedInode implements DAV\INode {
 	function delete() {
 		if(! perm_is_allowed($this->channel_id,'','view_storage'))
 			return;
+
+		/**
+		 * Since I don't believe this is documented elsewhere -
+		 * ATTACH_FLAG_OS means that the file contents are stored in the OS
+		 * rather than in the DB - as is the case for attachments.
+		 * Exactly how they are stored (what path and filename) are still
+		 * TBD. We will probably not be using the original filename but 
+		 * instead the attachment 'hash' as this will prevent folks from 
+		 * uploading PHP code onto misconfigured servers and executing it.
+		 * It's easy to misconfigure servers because we can provide a 
+		 * rule for Apache, but folks using nginx will then be susceptible.
+		 * Then there are those who don't understand these kinds of exploits
+		 * and don't have any idea allowing uploaded PHP files to be executed
+		 * by the server could be a problem. We also don't have any idea what
+		 * executable types are served on their system - like .py, .pyc, .pl, .sh
+		 * .cgi, .exe, .bat, .net, whatever.  
+		 */
+
 		if($this->attach['flags'] & ATTACH_FLAG_OS) {
 			// FIXME delete physical file
 		}
-- 
cgit v1.2.3