2015-05-30, 04:55 AM
2015-05-30, 08:28 AM
When uploading an attachment it's file extension is changed to .attach to prevent execution of the file. Moreover the file name is generated randomly which makes it almost impossible to access a file directly. Therefore allowing attachments is save.
2015-05-30, 01:07 PM
oh ok and do the user uploaded avatar files ext also changes ?
2015-05-30, 01:11 PM
Since avatars are images they are not executable.
2015-05-30, 01:21 PM
is it possible to embed malicious code with image files ? as with wordpress I use a IPS and I constantly see image type files uploading attempts (my blog do not require or allow any uploads)
2015-05-31, 07:50 AM
It is possible, and has been used to execute arbitrary code on misconfigured servers (more info: https://nealpoole.com/blog/2011/04/setti...iguration/ ).
In normal circumstances though, with a properly configured server, you shouldn't have any issues.
In normal circumstances though, with a properly configured server, you shouldn't have any issues.