I noticed that the upload folder needs to have an "index.html" otherwise you get this "weird" error message:
Even though the folder exists already. I don't think it should be necessary to add an index.html file to the upload folder.
I also noticed that files are prefixed with "date('YmdHis')". The reason for this is probably file upload security, right? I am not sure whether that is really secure, since it would be very easy to "guess" the prefix. A random prefix would be probably better?
Couldn't create upload directory
Even though the folder exists already. I don't think it should be necessary to add an index.html file to the upload folder.
I also noticed that files are prefixed with "date('YmdHis')". The reason for this is probably file upload security, right? I am not sure whether that is really secure, since it would be very easy to "guess" the prefix. A random prefix would be probably better?
Hi Joomla!dude,
It doesn't quite work like that (or at least it isn't intended to).
+ The file uploader checks for an index.html file, if it is found then it assumes that the folder exists.
+ If it isn't there it tries to create an index.html file in the specified folder, creating the folder at the same time.
+ If it can't create the file and folder then you get the "Couldn't create upload directory". Usually this is an indication that the folder location is either inaccessible, or that the Joomla! User doesn't have write permission.
The date string isn't particularly added for security but to avoid problems with identically named files being uploaded to the same folder. I'm not especially convinced that a random string is significantly more secure than a random second but possibly it is. I do have a CFv4 Upload Files action that allows you to add a random string but haven't yet updated that to CFv5.
Bob
It doesn't quite work like that (or at least it isn't intended to).
+ The file uploader checks for an index.html file, if it is found then it assumes that the folder exists.
+ If it isn't there it tries to create an index.html file in the specified folder, creating the folder at the same time.
+ If it can't create the file and folder then you get the "Couldn't create upload directory". Usually this is an indication that the folder location is either inaccessible, or that the Joomla! User doesn't have write permission.
The date string isn't particularly added for security but to avoid problems with identically named files being uploaded to the same folder. I'm not especially convinced that a random string is significantly more secure than a random second but possibly it is. I do have a CFv4 Upload Files action that allows you to add a random string but haven't yet updated that to CFv5.
Bob
There is no permission issue. Look at the cegore\folder\create method. It returns false if the folder exists (which triggers the error messages).
In my opinion the index.html check is not necessary since the method does that already.
In my opinion the index.html check is not necessary since the method does that already.
Hi,
Even if the method does that already, its better to have index.html file to avoid listing all the directory contents when accessed.
It's hard to guess the file name + the timestamp, and if you still worried about security then you can use .htaccess to block the whole directory!
Regards,
Max
Even if the method does that already, its better to have index.html file to avoid listing all the directory contents when accessed.
It's hard to guess the file name + the timestamp, and if you still worried about security then you can use .htaccess to block the whole directory!
Regards,
Max
I should have probably phrased my original post differently. It should have had two distinct parts.
A bug report: If index.html is missing from upload folder Chronoforms complains it can not create the upload folder even though it exists already. Instead it should printed: index.html is missing or so. I had to debug the code to figure this out.
A comment: Having an index.html shouldn't be necessary. But I respect your explanation (although it reminded me of that JED discussion, see also http://www.dionysopoulos.me/the-files-of-wrath/ ), but at least adjust the error message :-)
It is very easy to guess (from a malicious uploader's point of view). Since the prefix is only granular to the second. But Bob said already it was not a security feature, so it doesn't really matter.
A bug report: If index.html is missing from upload folder Chronoforms complains it can not create the upload folder even though it exists already. Instead it should printed: index.html is missing or so. I had to debug the code to figure this out.
A comment: Having an index.html shouldn't be necessary. But I respect your explanation (although it reminded me of that JED discussion, see also http://www.dionysopoulos.me/the-files-of-wrath/ ), but at least adjust the error message :-)
It's hard to guess the file name + the timestampIt is very easy to guess (from a malicious uploader's point of view). Since the prefix is only granular to the second. But Bob said already it was not a security feature, so it doesn't really matter.
Feature request for ChronoForums: Edit Grace Time, so users could edit a post to fix typos :-)
I think the code checks if the index.html file exists OR if it can be created, if both fails then it returns an error, but I will check it again once I'm back to office!
I mean that its hard for somebody who just wants to download your uploaded files to guess both the time stamp + the file name, but anyway a new feature will be added to control this + you can use .htaccess or change the files path for extra security!
Regards,
Max
I mean that its hard for somebody who just wants to download your uploaded files to guess both the time stamp + the file name, but anyway a new feature will be added to control this + you can use .htaccess or change the files path for extra security!
Regards,
Max
This topic is locked and no more replies can be posted.
