Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.0] Block access to uploaded error-\d.html files #115

Open
dhensby opened this issue Mar 22, 2016 · 6 comments
Open

[4.0] Block access to uploaded error-\d.html files #115

dhensby opened this issue Mar 22, 2016 · 6 comments
Labels
affects/v4 impact/medium type/bug

Comments

@dhensby
Copy link
Contributor

dhensby commented Mar 22, 2016

See #113

This opens a risk of users uploading error-*.html files and having them presented by the site as legitimate pages which could be used for nefarious purposes.

This needs preventing.
@dhensby dhensby added this to the 4.0.0-alpha1 milestone Mar 22, 2016
@tractorcow
Copy link

+1... will get around to this.

@tractorcow tractorcow modified the milestones: 4.0.0-alpha2, 4.0.0-alpha1 May 16, 2016
@tractorcow
Copy link

tractorcow commented Sep 22, 2016
edited
Loading

Um, I can't seem to be able to do this without blocking ErrorDocument in the root .htaccess from working. If we make these files non-web accessible, we can't use apache to serve errors directly anymore.

@tractorcow
Copy link

I found another issue in the template evaluation at silverstripe/silverstripe-framework#6061

@tractorcow tractorcow removed their assignment Sep 22, 2016
@sminnee
Copy link
Member

sminnee commented Sep 26, 2016

Best fix here is probably to save these somewhere other than the assets/ folder, e.g. somewhere outside of the web root.

@sminnee sminnee removed this from the CMS 4.0.0-alpha3 milestone Sep 29, 2016
@tractorcow
Copy link

@sminnee I could fix this by removing ErrorDocument, and documenting how to add it back again. However, it would break the ability for apache to handle errors natively (which, in practice, I never really see done. Error handling is done by PHP). Would this be an acceptable fix?

@dhensby
Copy link
Contributor Author

dhensby commented Apr 12, 2017

👍

@GuySartorelli GuySartorelli mentioned this issue Sep 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v4 impact/medium type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sminnee @chillu @dhensby @tractorcow @emteknetnz