tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

MINOR Documentation (from r106804)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112538 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-10-15 03:04:27 +00:00
parent 35a3d79e87
commit 122549ca60
2 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
filesystem/File.php
View File

@ -5,6 +5,10 @@
* looks at the db object to gather information about a file such as URL * looks at the db object to gather information about a file such as URL
* It then uses this for all processing functions (like image manipulation). * It then uses this for all processing functions (like image manipulation).
* *
* Caution: It is recommended to disable any script execution in the "assets/"
* directory in the webserver configuration, to reduce the risk of exploits.
* See http://doc.silverstripe.org/secure-development#filesystem
*
* @package sapphire * @package sapphire
* @subpackage filesystem * @subpackage filesystem
*/ */
@ -44,8 +48,7 @@ class File extends DataObject {
); );
/** /**
* @see Upload->allowedExtensions * @var array List of allowed file extensions, enforced through {@link validate()}.
* @var array
*/ */
public static $allowed_extensions = array( public static $allowed_extensions = array(
'','html','htm','xhtml','js','css', '','html','htm','xhtml','js','css',
@ -59,8 +62,8 @@ class File extends DataObject {
); );
/** /**
* If this is true, then restrictions set in $allowed_max_file_size and * @var If this is true, then restrictions set in {@link $allowed_max_file_size} and
* $allowed_extensions will be applied to users with admin privileges as * {@link $allowed_extensions} will be applied to users with admin privileges as
* well. * well.
*/ */
public static $apply_restrictions_to_admin = true; public static $apply_restrictions_to_admin = true;

19
filesystem/Upload.php
View File

@ -5,6 +5,15 @@
* and either creates a new or uses an existing File-object * and either creates a new or uses an existing File-object
* for syncing with the database. * for syncing with the database.
* *
* <b>Validation</b>
*
* By default, a user can upload files without extension limitations,
* which can be a security risk if the webserver is not properly secured.
* Use {@link setAllowedExtensions()} to limit this list,
* and ensure the "assets/" directory does not execute scripts
* (see http://doc.silverstripe.org/secure-development#filesystem).
* {@link File::$allowed_extensions} provides a good start for a list of "safe" extensions.
*
* @package sapphire * @package sapphire
* @subpackage filesystem * @subpackage filesystem
* *
@ -409,7 +418,13 @@ class Upload_Validator {
} }
/** /**
* @param array $rules * Limit allowed file extensions. Empty by default, allowing all extensions.
* To allow files without an extension, use an empty string.
* See {@link File::$allowed_extensions} to get a good standard set of
* extensions that are typically not harmful in a webserver context.
* See {@link setAllowedMaxFileSize()} to limit file size by extension.
*
* @param array $rules List of extensions
*/ */
public function setAllowedExtensions($rules) { public function setAllowedExtensions($rules) {
if(!is_array($rules)) return false; if(!is_array($rules)) return false;
@ -423,7 +438,7 @@ class Upload_Validator {
/** /**
* Determines if the bytesize of an uploaded * Determines if the bytesize of an uploaded
* file is valid - can be defined on an * file is valid - can be defined on an
* extension-by-extension basis in {$allowedMaxFileSize} * extension-by-extension basis in {@link $allowedMaxFileSize}
* *
* @return boolean * @return boolean
*/ */