FTP upload??? FTP upload???
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

FTP upload???

Started by Mastacheata, November 18, 2004, 10:49:19 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Mastacheata

Is there a mod or sth like this that makes an ftp upload possible? HTTP Upload is easy and nice but an ftp upload would solve many problems.
My users complained many times they have to upload their pictures file by file and it is very slow by http upload.
The HTTP Upload has in most cases the restriction of a very low filesize. This restriction doesn't effect ftp so you could upload bigger .zip files by ftp.
Maybe anyone has posted something like this yet and if yes it would be nice to tell me where I can find it otherwise i will have to write an ftp upload feature on my own.

Tranz

If your users have WinXP, they could use that winxp publisher. And/or, you would need to ask your host about increasing file upload size.

Mastacheata

what i thought of was to open an ftp connection to my ftp server with a 2nd ftp account (to get around safe mode) and then move the files to the ftp server directly. My Users don' know quite much about computing maybe even nothing else than surfing webpages and hanging around in php chats.
I think I'll build my own one. It's not that hard because i was programming an own gallery script before I've seen cpg can also run in php safe mode and have the functions for that already done.
I'll post my results as a new addon maybe.

This thread can be closed if you want.

Joachim Müller

Giving users access to ftp upload is a huge security risk if the server isn't yours to configure properly against possible attacks. You would either have to write your own ftp client (someting DJMaze is up to on the cpgnuke port, not sure if he succeeded). For security reasons batch-add is only available for admin users.
There's a mod about the menalto remote control that has been posted recently, maybe that's an option for you.

Joachim

Mastacheata

I'll have a look on the remote control thingy. I know batch add is only available for admins but there's one of my users who doesn't know anything about computers and she will be the only one to upload pics and batch add them.
My FTP Connction works over a socket connection and my webhost told me there was no risk at all I had to fear/take care of.

Joachim Müller

Urm, this is not the security risk I was refering to: if you allow ftp uploads, nothing will prevent users from uploading php or perl scripts - they could use them to easily take over the control of your webserver.
Especially if the person you want to give batch-add powers knows nothing about computers as you claim it will be most likely that he/she will break things in no time (e.g. uploading huge images that will grind the server to halt when using batch-add on them). You're welcome to remove the single line in searchnew.php that keeps non-admins from accessing the batch-add function, but don't say we haven't warned you.

Joachim

Mastacheata

Now I understand wich problems you mean.
The executing scripts thing is not that huge problem because it's similar to the http upload in your scripts. I've built in a check for the file extension and set the mime-type of the files uploaded, so it will be not that easy to upload scripts to the webspace, even though there will always be some possibilities to do so.
You misunderstood what I plan to do with the batch add function. I won't make it available for everyone, just for this one person and the upload is also restricted to only me and the 2nd person.

Joachim Müller

I understand that perfectly well. Maybe I didn't make my point. Give me ftp acces to your site and I will ruin it in less than a minute. There's no point in adding checking routines inside searchnew.php (the batch-add file): I upload a script file to your webspace using ftp and run it in my browser - your webserver will be dead before you even hear the shot.
However, if you think it's such a clever idea I won't mind - but just don't come back here and complain that coppermine was unsecure - it is you who is deliberatly making it unsecure. You have been warned.

Joachim

Mastacheata

I don't want to complain about security reasons in cpg but I need to upload about 100 pictures in one day each month, so it's very uncomfortable to do this via http upload because you can only upload 4 single files or about 3-4 files at once in a zip file because my php upload size is restricted to 2MB.
In my FTP routine I can select a directory and upload all files within it. I would really appreciate to have a secure website, but don't know much about security reasons, so I thought it would reach out to set the content type.
I think I need to rethink my whole concept and then again have a look at what I'll do.

BTW: Why are you always talking about the batch add function??? It will not be publicly available. I've just got two admin accounts in my gallery and only those two can upload and use the batch add function.

Joachim Müller

well, you're recommended to ftp upload and use batch add for admins, that's what we always suggest and that's what the docs say as well. What's your actual question?

Joachim

Mastacheata

Hey now you understand me... *g*
All I wanted to know was if there has been such a mod yet to replace the http upload with an ftp upload, or if I'd have to program this myself...
That Question was answered by you and TranzNDance already, but then you posted your concerns about making batch add feature publicly available, where you simply misunderstood me.
So now everything is clear for me...