Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

MINOR Documentation (from r106804)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112538 467b73ca-7a2a-4603-9d3b-597d59a354a9
  • Loading branch information...
commit 122549ca60b4bc83cc1c91a26611c327e1d114e2 1 parent 35a3d79
@chillu chillu authored
Showing with 24 additions and 6 deletions.
  1. +7 −4 filesystem/File.php
  2. +17 −2 filesystem/Upload.php
View
11 filesystem/File.php
@@ -5,6 +5,10 @@
* looks at the db object to gather information about a file such as URL
* It then uses this for all processing functions (like image manipulation).
*
+ * Caution: It is recommended to disable any script execution in the "assets/"
+ * directory in the webserver configuration, to reduce the risk of exploits.
+ * See http://doc.silverstripe.org/secure-development#filesystem
+ *
* @package sapphire
* @subpackage filesystem
*/
@@ -44,8 +48,7 @@ class File extends DataObject {
);
/**
- * @see Upload->allowedExtensions
- * @var array
+ * @var array List of allowed file extensions, enforced through {@link validate()}.
*/
public static $allowed_extensions = array(
'','html','htm','xhtml','js','css',
@@ -59,8 +62,8 @@ class File extends DataObject {
);
/**
- * If this is true, then restrictions set in $allowed_max_file_size and
- * $allowed_extensions will be applied to users with admin privileges as
+ * @var If this is true, then restrictions set in {@link $allowed_max_file_size} and
+ * {@link $allowed_extensions} will be applied to users with admin privileges as
* well.
*/
public static $apply_restrictions_to_admin = true;
View
19 filesystem/Upload.php
@@ -5,6 +5,15 @@
* and either creates a new or uses an existing File-object
* for syncing with the database.
*
+ * <b>Validation</b>
+ *
+ * By default, a user can upload files without extension limitations,
+ * which can be a security risk if the webserver is not properly secured.
+ * Use {@link setAllowedExtensions()} to limit this list,
+ * and ensure the "assets/" directory does not execute scripts
+ * (see http://doc.silverstripe.org/secure-development#filesystem).
+ * {@link File::$allowed_extensions} provides a good start for a list of "safe" extensions.
+ *
* @package sapphire
* @subpackage filesystem
*
@@ -409,7 +418,13 @@ public function getAllowedExtensions() {
}
/**
- * @param array $rules
+ * Limit allowed file extensions. Empty by default, allowing all extensions.
+ * To allow files without an extension, use an empty string.
+ * See {@link File::$allowed_extensions} to get a good standard set of
+ * extensions that are typically not harmful in a webserver context.
+ * See {@link setAllowedMaxFileSize()} to limit file size by extension.
+ *
+ * @param array $rules List of extensions
*/
public function setAllowedExtensions($rules) {
if(!is_array($rules)) return false;
@@ -423,7 +438,7 @@ public function setAllowedExtensions($rules) {
/**
* Determines if the bytesize of an uploaded
* file is valid - can be defined on an
- * extension-by-extension basis in {$allowedMaxFileSize}
+ * extension-by-extension basis in {@link $allowedMaxFileSize}
*
* @return boolean
*/
Please sign in to comment.
Something went wrong with that request. Please try again.