Op woensdag 18 januari 2006 07:26, schreef Karoly Negyesi:
These two are cured by killing MIME magic. I am sorry, but that's the best we can do.
Note that already we have a potential security breah in our uploads. PHP is not very good at checking the uploads, Drupal is just a tad worse. Our server maintainer (a notorious security person) pointed me at it and proved that it is very easy to misconfigure drupal / or the server so that one opens up. Now, I agree with Gerhard, when he says that "it is certainly not our task to prevent apache misconfigurations". But in some extend that is the Microsoft way: "we cannot help it that people install insecure apps / plugins". In some extend. We should try to be as secure as possible in all configurations, in all environments. So killing MIME magic does not sound like a good idea to me. Since it takes our biggest upload securtiy away. Unless I am comlpetely wrong about the MIME, and in that case I sould love some explanation :) Bèr -- [ Bèr Kessels | Drupal services www.webschuur.com ]