May 3rd, 2011, 8:16 PM
Hey all,
2.1.0 (the current available version) contains an index.html in that folder. All that that does is prevent the browser from displaying the contents of the folder. It's low-fi, but it solves the immediate problem.
Alex, using .htaccess is definitely better from a security point of view, but like you said, it would require users to be perpetually entering their login credentials - plus you'd need to go through the legwork of setting up the actual permissions. It all depends on your situation and your judgment. If the content being uploaded is very sensitive, then yes - password-protecting the whole folder with .htaccess would make sense. Also, you might want to consider using a custom upload folder which would be harder for a hacker to guess (e.g /uploads59115 or something random).
The other possibility (depending on how security-conscious you feel you need to be) is to specify an upload folder that's above the actual webroot. This will break any links to the files in the user interface (since they won't be accessible via an http:// location), but the files will still be properly uploaded to the server. No-one without server permissions would be able to access the files.
- Ben
2.1.0 (the current available version) contains an index.html in that folder. All that that does is prevent the browser from displaying the contents of the folder. It's low-fi, but it solves the immediate problem.
Alex, using .htaccess is definitely better from a security point of view, but like you said, it would require users to be perpetually entering their login credentials - plus you'd need to go through the legwork of setting up the actual permissions. It all depends on your situation and your judgment. If the content being uploaded is very sensitive, then yes - password-protecting the whole folder with .htaccess would make sense. Also, you might want to consider using a custom upload folder which would be harder for a hacker to guess (e.g /uploads59115 or something random).
The other possibility (depending on how security-conscious you feel you need to be) is to specify an upload folder that's above the actual webroot. This will break any links to the files in the user interface (since they won't be accessible via an http:// location), but the files will still be properly uploaded to the server. No-one without server permissions would be able to access the files.
- Ben