Closed bussnet closed 8 years ago
Yes to the “quick’n’dirty”. A few things that jump at me at first glance:
PASSWORD
and $pw_hash
are both equally secure. There is no reason to recommend the end-user to use either of those over the other./tmp/
as a default path. I think it isn’t available on Windows (or am I wrong?), and shared hosting will often not have access to root folders either. Much cleaner to set the default paths relative to the PHP file.$_FILES['name']
without sanitation is a bad idea. The name is provided by the user and can contain illegal characters or even a relative path. An attacker could use this to upload files wherever they want, a file name like ../../usr/local/var/www/hack.php
added to /tmp/media/
would let an attacker run PHP code straight from my public root. At least use basename
against the relative path exploit.Obviously this last point is the most grievous, and until that is fixed I would hold off on putting this in the repository where other people might download and use it unknowingly.
I have just pushed a first release candidate with a lot of in-code documentation, without .htaccess
requirements and with cleaning of the filename (although I am not super happy with it yet). So I am closing this pull request.
Thanks for your interest though, much appreciated, and if you would like to take a look at the current code and let us know what you think that would be great!
Thanks for this input! I'm not really a PHP guy, so I won't manage it much, leaving it to you @Zegnat . I can maintain the version and compatibility in the API repo if you want, though.
tested with the python-client and working fine here