The behaviour of validation on content is, if validation fails display a warning for correction and save property data, but not allow a publish until corrected.
For me this behaviour doesnt quite work/translate correctly into media...
For example I found a regex for restricting the types of files that can be uploaded in to the media section. The error displays as expected but continues to allow the file to be uploaded!
For me this is unexpected behaviour and a bug? Does anyone else agree?
The alternative is to use Tim Geyssens excellent restricted upload datatype (should this not be in the core), but i'd rather avoid yet another plugin.
We recently had a web security review and the umbraco upload control was pulled up because the security company we were using was able to upload and run an asp page which browsed all of the directories on our server! So it's pretty crucial to restrict the types of files a user can upload.
It might not be a bad idea to try and restrict the ~/media folder to not allow scripts to be executed. Rely on the server security for this instead of software security? I need to consider this as well.
Yes absolutely agree with you and i've turned off script execution on the media folder.
But it still doesnt solve the problem of uploading potentially dangerous files in the first place. In the unlikely event of the server being compromised it may still be possible to execute the code. So I would prefer to ensure the file could never get on there in the first place!
Validation regex of datatype when used in a mediatype
The behaviour of validation on content is, if validation fails display a warning for correction and save property data, but not allow a publish until corrected.
For me this behaviour doesnt quite work/translate correctly into media...
For example I found a regex for restricting the types of files that can be uploaded in to the media section. The error displays as expected but continues to allow the file to be uploaded!
For me this is unexpected behaviour and a bug? Does anyone else agree?
The alternative is to use Tim Geyssens excellent restricted upload datatype (should this not be in the core), but i'd rather avoid yet another plugin.
We recently had a web security review and the umbraco upload control was pulled up because the security company we were using was able to upload and run an asp page which browsed all of the directories on our server! So it's pretty crucial to restrict the types of files a user can upload.
Comments from anyone appreciated.
Martin
It might not be a bad idea to try and restrict the ~/media folder to not allow scripts to be executed. Rely on the server security for this instead of software security? I need to consider this as well.
Hey Funka!
Yes absolutely agree with you and i've turned off script execution on the media folder.
But it still doesnt solve the problem of uploading potentially dangerous files in the first place. In the unlikely event of the server being compromised it may still be possible to execute the code. So I would prefer to ensure the file could never get on there in the first place!
Thanks
Martin
is working on a reply...