instiki

deac/instiki

Fork 0

Commit graph

Author	SHA1	Message	Date
James Herdman	64d305f2a8	Don't make ANY assumptions about the environment. Use the model and Rails to do as much work as possible.	2009-08-29 14:20:08 -04:00
Jacques Distler	c05d69bcff	Make upgrade_instiki Rake Task Database-Agnostic Reported by James Herdman.	2009-08-27 16:57:37 -05:00
Jacques Distler	5d15e3f39d	Security: Instiki 0.16.2 On Webs with file uploads enabled, uploaded files were stored (in version 0.16.1 and earlier) in the public/ directory. This was a security threat. A miscreant could upload a .html file. When a user clicked on the link to the file, it was opened (unsanitized) in the browser. As of version 0.16.2, uploaded files are stored in the webs/ directory. Now, when the user clicks on the link, the file is sent with the Content-Disposition: attachment header set, which causes the file to be downloaded, rather than opened in the browser. As always, files downloaded from the internets should be treated with caution. At least, this way, they are not aoutomatically opened in the browser. To move your existing uploaded files to the new location, do a rake upgrade_instiki	2009-01-26 00:21:30 -06:00

Author

SHA1

Message

Date

James Herdman

64d305f2a8

Don't make ANY assumptions about the environment. Use the model and

Rails to do as much work as possible.

2009-08-29 14:20:08 -04:00

Jacques Distler

c05d69bcff

Make upgrade_instiki Rake Task Database-Agnostic

Reported by James Herdman.

2009-08-27 16:57:37 -05:00

Jacques Distler

5d15e3f39d

Security: Instiki 0.16.2

On Webs with file uploads enabled, uploaded files were stored
(in version 0.16.1 and earlier) in the public/ directory.

This was a security threat. A miscreant could upload a .html file.
When a user clicked on the link to the file, it was opened (unsanitized)
in the browser.

As of version 0.16.2, uploaded files are stored in the webs/
directory. Now, when the user clicks on the link, the file is sent
with the

    Content-Disposition: attachment

header set, which causes the file to be downloaded, rather than opened
in the browser. As always, files downloaded from the internets should be
treated with caution. At least, this way, they are not aoutomatically 
opened in the browser.

To move your existing uploaded files to the new location, do a

     rake upgrade_instiki

2009-01-26 00:21:30 -06:00

3 commits