MINOR Documentation (from r106804)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112538 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-10-15 03:04:27 +00:00
parent 35a3d79e87
commit 122549ca60
2 changed files with 24 additions and 6 deletions

View File

@ -5,6 +5,10 @@
* looks at the db object to gather information about a file such as URL
* It then uses this for all processing functions (like image manipulation).
*
* Caution: It is recommended to disable any script execution in the "assets/"
* directory in the webserver configuration, to reduce the risk of exploits.
* See http://doc.silverstripe.org/secure-development#filesystem
*
* @package sapphire
* @subpackage filesystem
*/
@ -44,8 +48,7 @@ class File extends DataObject {
);
/**
* @see Upload->allowedExtensions
* @var array
* @var array List of allowed file extensions, enforced through {@link validate()}.
*/
public static $allowed_extensions = array(
'','html','htm','xhtml','js','css',
@ -59,8 +62,8 @@ class File extends DataObject {
);
/**
* If this is true, then restrictions set in $allowed_max_file_size and
* $allowed_extensions will be applied to users with admin privileges as
* @var If this is true, then restrictions set in {@link $allowed_max_file_size} and
* {@link $allowed_extensions} will be applied to users with admin privileges as
* well.
*/
public static $apply_restrictions_to_admin = true;

View File

@ -5,6 +5,15 @@
* and either creates a new or uses an existing File-object
* for syncing with the database.
*
* <b>Validation</b>
*
* By default, a user can upload files without extension limitations,
* which can be a security risk if the webserver is not properly secured.
* Use {@link setAllowedExtensions()} to limit this list,
* and ensure the "assets/" directory does not execute scripts
* (see http://doc.silverstripe.org/secure-development#filesystem).
* {@link File::$allowed_extensions} provides a good start for a list of "safe" extensions.
*
* @package sapphire
* @subpackage filesystem
*
@ -409,7 +418,13 @@ class Upload_Validator {
}
/**
* @param array $rules
* Limit allowed file extensions. Empty by default, allowing all extensions.
* To allow files without an extension, use an empty string.
* See {@link File::$allowed_extensions} to get a good standard set of
* extensions that are typically not harmful in a webserver context.
* See {@link setAllowedMaxFileSize()} to limit file size by extension.
*
* @param array $rules List of extensions
*/
public function setAllowedExtensions($rules) {
if(!is_array($rules)) return false;
@ -423,7 +438,7 @@ class Upload_Validator {
/**
* Determines if the bytesize of an uploaded
* file is valid - can be defined on an
* extension-by-extension basis in {$allowedMaxFileSize}
* extension-by-extension basis in {@link $allowedMaxFileSize}
*
* @return boolean
*/