Hello,
I am working for an ISP and we are planning to offer web
archives for our users mailing-lists. I began to setup
mhonarc to do this but I have a security problem. As I
would like to permit people to have their owns ressources
files, a few ressource element (ie all filenames) might
be used to access/erase other sites files (such as
.htaccess or .htpassword). I tried to search in archives
or web sites to find an similar problem but without any
success.
Thus, I was wondering if :
- I am dumb and a solution to the problem already exist
- I can forget allowing people to setup their own
ressources files
- I should try to solve this problem.
To the latest case, I have two possible ideas :
- filtering the user ressource file to remove "dangerous"
ressource elements
- adding an option to mhonarc to define a "ressource
directory" (the "user root" directory), if this option
is used, then all files name should be relative to this
directory ('..' would be then forbidden)
Personnaly, I prefer the second solution but I just do
not know if it may be usefull to other people...
François
