Http Post / destFolderPath

Last post 11-03-2007 3:02 AM by BarryR. 1 replies.
Page 1 of 1 (2 items)
Sort Posts: Previous Next

  • 11-03-2007 1:44 AM

    • AdamB
    • Top 10 Contributor
    • Joined on 09-28-2007
    • Posts 40

    Http Post / destFolderPath

    Reply Contact

    From what I understand the uploadToken limits the end-user to uploading files only to their account (and not the master account), if the token is obtained using a child account credentials.

    However, the token doesn't incorporate any aspect of the destFolderPath, so can't the destFolderPath be tampered with on a browser-based http post (aka stick the file somewhere else in the account)? Is there any way to prevent this?


    Thanks,

     Adam
     

  • 11-03-2007 3:02 AM In reply to

    • BarryR
    • Top 10 Contributor
    • Joined on 07-20-2007
    • San Diego
    • Posts 529

    Re: Http Post / destFolderPath

    Reply Contact

    You are correct that the destination path can be changed in the case of http uploads.  For now this isn't a destructive problem since there is no overwrite on uploads, but this will be given a high priority. We would need to add the path as part of the the token generation.  The only way to avoid this problem for now is to proxy the uploads through your own server.

    I will suggest this addition to enhance the upload security right away.

    Thanks,
        Barry R.

    IM Support (Feel free to add me)

    MSN: barryruffner@msn.com
    Gmail: barryruffner@gmail.com
    Filed under: , ,
Page 1 of 1 (2 items)