Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Made some additions to elliminate the following security issues: #2
Gia sou, Antoni.
Ime o Stelios Mavridis(email@example.com).
Also, by uploading any number of files as another user, you do not cause any problem, in a sense that:
In terms of the session implementation I don't think it benefits somehow the solution since if someone has READ access to the file and can see the SHA-256 in the variable, he can send that in the request. Also, it may not allow you login some times if I'm not mistaken.
Thanks for helping and let me know of your opinion.
Stelios' approach also takes in account the session ID to avoid using
I don't agree that bypassing the log in process does not cause
The industry-common approaches are not necessarily good (see
If the uploaded files are scripts, then they can't be executed unless the user specifically goes and executes them using ssh. The web server cannot execute / run files from the STORAGE folder.
The intention of the patch was to not send the password in plain-text and also avoid any replay attacks.
The session id seems to be and 128-bit value(http://www.perlmonks.org/?node_id=214293).
" if someone controls the server":All your bases are belong to us?
ps:About the sha256.js.It was formated that way in the original source, regardless i will reformat it and update.
Additionally, this is a PHP Session ID, that remains the same until the user quits their browser in most configurations, so it won't be different every time but every time the browser restarts.