 |
SimonAdrian
User
May 30, 2006, 10:58 AM
Post #1 of 4
(1607 views)
Shortcut
|
|
Security-hazzard
|
Can't Post
|
|
Maybe my knowledge of viruses isn't uptodate, but it seems to me that it is a security-hazzard that any writer can upload pictures or other files even though his article is still pending.
Thats what happens if you use the uploading-feature. The file goes right up on the server, while the article waits for approval.
So is there some way that you can disable the uploading-feature in some categories and enable them in others.
Especially in connection with the suggestion in the tutorial for Articel Manager about letting any visitor write without password.
|
|
| |
|
Donna
Staff
/ Moderator
May 30, 2006, 4:57 PM
Post #2 of 4
(1599 views)
Shortcut
|
|
Re: [SimonAdrian] Security-hazzard
[In reply to]
|
Can't Post
|
|
Hi Simon,
Thanks for your email.
This isn't actually an issue, since image files are benign. Article Manager lets you designate what file extensions are allowable. While we would recommend strongly against allowing, for example, a .php file to be uploaded on a system that allows non-trusted users to create articles, there's no harm in allowing the .jpg and .gif files that are allowed by default. There is absolutely no way for a jpg or a gif to cause any security issue to your server.
I hope this helps. :) Let me know if you have any other questions about security in Article Manager!
Donna
Hire me!
Save time by getting our experts to help with your project. Template changes, advanced features, full integration, whatever you need. Whether you need one hour or fifty, get it done fast with Priority Consulting.
|
|
| |
|
SimonAdrian
User
May 31, 2006, 1:02 AM
Post #3 of 4
(1596 views)
Shortcut
|
Hi Donna
Then how about xml-files. Are there any security-risk uploading them.
Apart from a possible risk the reason why I'm asking is that I plan to allow a lot of writers to update, but only some few trusted through xml-uploads - the rest shouldnt be allowed to upload xml-files.
So is there a way you can disable the upload-possibility for some categorys. If not I would like to suggest it in a new version.
Besides I would like to preview their uploads before they are on the web.
Best regards
Simon
|
|
| |
|
Donna
Staff
/ Moderator
May 31, 2006, 12:03 PM
Post #4 of 4
(1586 views)
Shortcut
|
|
Re: [SimonAdrian] Security-hazzard
[In reply to]
|
Can't Post
|
|
Hi Simon,
As far as I know, XML files are just text, and non-executable, so they shouldn't cause any problems. I haven't researched them extensively, but I can't think of how they would be any problem.
While there's no method to allow uploads for some categories only, you could modify the writer interface templates so that those with Writer-level accounts cannot use the upload file facility. That way, those with regular level accounts could still upload files, but writers couldn't. Would that work for you?
Just so you know -- all files that are uploaded ARE on the web right away. They're automatically put into the uploads directory. However, one would have to know the address to them to see them -- they're not linked from anywhere until you've approved the article, or created another link elsewhere. But any file uploaded is, by definition, on the web.
I hope this helps. :)
Donna
Hire me!
Save time by getting our experts to help with your project. Template changes, advanced features, full integration, whatever you need. Whether you need one hour or fifty, get it done fast with Priority Consulting.
|
|
| |
| | |
|
