-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johann Spies wrote:
I would like to hear from the members of this list their opinion about
the safety of enabling php's upload abilities on a webserver with
several clients.
In the past I have declined requests to do so because it cannot be
done on a per-user-basis as I understand it and because I was
uncertain about the safety of such a setup.
If you're adventurous you could patch PHP so you can configure it per
VirtualHost or even per <Directory>, the only thing is that there's
maybe a reason it is not so.
In main/main.c, if you search for "file_uploads", the third value in the
line, PHP_INI_SYSTEM, defines at which points you can alter this value.
If it would be like for the include_path, PHP_INI_ALL, it may be likely
that you can alter it on a per-directory basis which is maybe sufficient
for you.
However when you allow .htaccess, this value may be changed by the user
himself which is not want you want, as far as I understood you.
There are other possible values for the third parameter, like
PHP_INI_PERDIR, so maybe you can tune it the way you need it.
HTH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFETxwE1nS0RcInK9ARAk+TAJ9ooca8JYCQ7tJNANaRFVmokLDW/ACgx4mS
1pMV4nzI7XE9RMb+PZC8A0o=
=A7BI
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
