Re: An FTP Module for ImpressCMS
Posted by tedsmith on 1286374160
Hi Will
There's a config.php file in the root of the Solmetra Flash Uploader. In that file is where I pasted the above settings from. Based on the comments in that file, it seemed to me that that was the place to specify what files you wanted to allow\disallow.
I don't think there is a download.php file with this particular app (at work at moment so not able to see).
The link you refer to, I thought, was simply to restrict the selection of files based on file extension only - not it's true content type (which is what I thought the array declaration may have applied). I will certainly have another look at that but obviously with an extension-only check, someone could rename a malicious file ('nastyapp.php') to 'FriendlyPage.pdf', upload it, and on extension rules alone, this would be allowed to be uploaded (though this uploader renames the uploaded files to prevent remote execution). Ideally, I want to do a header check to ensure the file being uploaded is a PDF and only a PDF.
It might be best to register on their forum and pose my questions there rather than taking this thread off into a different direction.
For future ref, it would be super good if someone could create an FTP module for ICMS. I trust ICMS modules over and above other apps and feel assured by how they integreate with the system.
There's a config.php file in the root of the Solmetra Flash Uploader. In that file is where I pasted the above settings from. Based on the comments in that file, it seemed to me that that was the place to specify what files you wanted to allow\disallow.
I don't think there is a download.php file with this particular app (at work at moment so not able to see).
The link you refer to, I thought, was simply to restrict the selection of files based on file extension only - not it's true content type (which is what I thought the array declaration may have applied). I will certainly have another look at that but obviously with an extension-only check, someone could rename a malicious file ('nastyapp.php') to 'FriendlyPage.pdf', upload it, and on extension rules alone, this would be allowed to be uploaded (though this uploader renames the uploaded files to prevent remote execution). Ideally, I want to do a header check to ensure the file being uploaded is a PDF and only a PDF.
It might be best to register on their forum and pose my questions there rather than taking this thread off into a different direction.
For future ref, it would be super good if someone could create an FTP module for ICMS. I trust ICMS modules over and above other apps and feel assured by how they integreate with the system.
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=4480&post_id=40154