- Moderated by:
- Support
Allowed vs Restricted File Extensions
-
- rank:
-
Helper
- registered:
- October 2002
- Status:
- offline
- last visit:
- 23.01.07
- Posts:
- 192
I'm working on a module which will allow end users to upload files and I realized there is a security risk. For instance, a user could upload a malicious PHP script to perform nasty stuff on the server. My solution to this is to allow the administrator to enter a list of file extensions to allow, or enter a list of file extensions to block.
I'd like to know what the other module developers think is the best way to go, and get a feel for what users would prefer.
Thanks!
-
- rank:
-
Helper
- registered:
- November 2004
- Status:
- offline
- last visit:
- 12.03.07
- Posts:
- 387
I'm for allowed extensions. It's much easier to say ".doc, .jpg, and .tiff" than "everything but .exe and .zip and .gzip etc etc etc," because there are a lot of extensions that would put the site at a security risk, and it's hard to keep track of all of them. Best I think to just disallow everything but a handful of special extensions.
|
