CKEditor 4
Mon, 10/31/2005 - 02:50
#1
henrycortezwu
henrycortezwu's picture
Joined: 26/11/2006
Posts: 8

.NET UserFilePath Bug

At the FileWorkerBase.cs
the ff should be interchange because DEFAULT_USER_FILES_PATH has a constant value and will never process the check for ServerPath.

// Otherwise use the default value.
if ( sUserFilesPath == null || sUserFilesPath.Length == 0 )
{
sUserFilesPath = DEFAULT_USER_FILES_PATH ;
}

// Try to get from the URL.
if ( sUserFilesPath == null || sUserFilesPath.Length == 0 )
{
sUserFilesPath = Request.QueryString["ServerPath"] ;
}
Top
Mon, 10/31/2005 - 01:40
fredck
fredck's picture
Joined: 19/01/2007
Posts: 898

RE: .NET UserFilePath Bug

The fact is that it is a big security issue in the File Manager if you receive the path from the URL. It is easy to any hacker to just change the URL and point it to another directory.

I think I'll probably remove the possibility to load it from the QueryString.

It would be nice to have opinions from all you.

BR,
FredCK

Frederico Knabben
CKEditor Project Lead and CKSource Owner
--
Follow us on: Twitter | Facebook | Google+ | LinkedIn

Top
Mon, 10/31/2005 - 01:50
liane
liane's picture
Joined: 13/11/2003
Posts: 17

RE: .NET UserFilePath Bug

ok, it is a security issue, but one that should be the responsibility of the implementor, not yours. That is, when the editor is used from inside a CMS, it is the CMS itself that needs to be protected, not the editor!!!

Please leave that handy feature, but warn the user of the potential problem, if not cared of (just as the browsers being disabled by default, until explicitly enabled)
Top
Mon, 10/31/2005 - 02:25
xenden
xenden's picture
Joined: 08/04/2006
Posts: 321

RE: .NET UserFilePath Bug

+1 for the connectors to be disabled by default.

It would probably be best to seperate the connectors from the editor itself. Offer them as a seperate, seamless to intall package.

Just thoughts... =]
Top
Mon, 10/31/2005 - 02:30
fredck
fredck's picture
Joined: 19/01/2007
Posts: 898

RE: .NET UserFilePath Bug

We could also leave this feature... but, unfortunately the world is not made by "super-expert" developers that will always be conscious of their choices. Also, many of them will just consider that, if the feature is available, it would be safe to use.

This is way a server side option is the option. Today it can be done with an Application var, a Session var and a Web.config setting.

In some way it is a bad software design to leave security holes if we now they exist.

Please leave your comments (all you).

Frederico Knabben
CKEditor Project Lead and CKSource Owner
--
Follow us on: Twitter | Facebook | Google+ | LinkedIn

Top
Mon, 10/31/2005 - 02:50
liane
liane's picture
Joined: 13/11/2003
Posts: 17

RE: .NET UserFilePath Bug

to be honest, I don't care *how* it is done, I just need this feature, to be able to set any folder I like as the target for the file browsers.

But, still, I'd prefer the solution be *not* server dependant, if at all possible (cookies might be the only choice then, or not?)
Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check