| John Robinson 2005-04-07, 5:49 pm |
| Simon -
This all makes perfect sense, but what I don't understand is why we
don't (can't) have something like we have in plain-ol' html... a
file-upload ("multi-part" I think it's called?) form element? That's
the only thing we are missing. I don't think I'd be happy with an fcs
based solution. I'd rather not be tied to one product when there are so
many good options available already.
What would be the difference if I used an html form or an swf to submit
a file to a php/cgi/etc script? Both are open formats and script
kiddies can see exactly what cgi is handling the upload just by looking
at the source for the html. The trick is that using php you have great
control over what gets uploaded and where it goes.
Just my thoughts.
John
On Feb 21, 2005, at 3:55 PM, Simon Lord wrote:
> I'm sure you can imagine people wanting to upload malicious software
> to your server, it could be anything from js to cgi's. Hell, you can
> embed js and cgi scripts into the xif data of many image formats.
>
> Or possibly upload a swf that itself is coded to allow a broader range
> of uploads to the server. Right now the only solution is server side,
> since SWF is an open format anyone could open your swf and take a look
> at how and where you are sending data (pointers to the cgi file etc).
>
> And how do you prevent script kiddies from producing innocent games
> which really snip your OS and upload your private data to their server
> without your knowledge.
>
> Lots of things can go wrong and I think Macromedia is correct in
> waiting out this feature and making sure they've looked at it from
> every angle.
>
> As a starting point, allow upload capabilities with FCS Pro is a
> start, at $4500+ it would be limited to a small group and much less
> exploitable as it's a server side function with inaccessible code
> instructions (to the outside world).
>
> I don't have all the possibilities but these are just of few of the
> things I see right off the top of my head.
>
> But it is off topic, not because you may not be idealistically correct
> to ask why it's not part of the whiteboard component but because it
> won't happen anytime soon (unless there is a easter egg in Flash 8 we
> haven't heard about yet).
>
> The next reason would be that this functionality is 100% available
> using PHP/GDLib2/<insert DB type here>. You could easily create this
> functionality is you absolutely required it - and again it would be
> server side so you could control access and upload restrictions as
> well as assign exe/owner rights on the uploaded file so that it has no
> rights to perform any task.
>
> That's it for me. Gonna drink this coffee now...
>
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
|