Re: Enabling PHP uploads

[Markus Fischer <markus () fischer name>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johann Spies wrote:
> I would like to hear from the members of this list their opinion about
> the safety of enabling php's upload abilities on a webserver with
> several clients. 
>
> In the past I have declined requests to do so because it cannot be
> done on a per-user-basis as I understand it and because I was
> uncertain about the safety of such a setup.

If you're adventurous you could patch PHP so you can configure it per
VirtualHost or even per <Directory>, the only thing is that there's
maybe a reason it is not so.

In main/main.c, if you search for "file_uploads", the third value in the
line, PHP_INI_SYSTEM, defines at which points you can alter this value.
If it would be like for the include_path, PHP_INI_ALL, it may be likely
that you can alter it on a per-directory basis which is maybe sufficient
for you.

However when you allow .htaccess, this value may be changed by the user
himself which is not want you want, as far as I understood you.

There are other possible values for the third parameter, like
PHP_INI_PERDIR, so maybe you can tune it the way you need it.

HTH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFETxwE1nS0RcInK9ARAk+TAJ9ooca8JYCQ7tJNANaRFVmokLDW/ACgx4mS
1pMV4nzI7XE9RMb+PZC8A0o=
=A7BI
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------