Plupload - doubts about security
Question
http://www.plupload.com - " Allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads. " This is the uploader used in current WordPress v3.4.1 and the best one out there in my opinion.
It comes with upload.php file (full file: http://ideone.com/xbPUS ).
I have doubts about its security: When I have upload.php on my server and even if I don't setup any Javascript for Plupload anyone is still able to relatively easy send request to upload.php file and upload anything, anytime... TRUE OR FALSE?
How do I prevent that?
2 answers
solution1
5 ACCPTED 2012-08-14 08:19:18
It's not a security issue. Across the internet you can try to upload anything you want to servers (addresses) that support POST method. It's up to server-side software to accept or reject such upload - it's always been this way. Of course there can be some restrictions put onto who uploads what (using tokens, authorization etc), but that's up to you (as developer) to handle.
As to upload.php file from plupload, I think it's suppose to be just a quick and dirty example, that makes trying out plupload a little bit easier.
solution2
1 2012-08-14 08:22:55
I think you want Wordpress to work with upload.php and not the other way arround. So if anyone would call upload.php directly it will fail. Can you set some specific information that will only be available from within your Wordpress functions. In upload.php you can ask for this information if not available it will stop. Hope this is what you need.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.