Secure File Upload

Jan Henning Thorsen jhthorsen at cpan.org
Fri Nov 13 01:02:22 PST 2009 

I agree that webdav is not the solution :/

What about writing a catalyst app, which has an flash uploader / file manager
as frontend toward the user?

MojoMojo use swfupload. It provides the possibility to upload multiple files,
but download would be done by one-and-one click on standard <a> links on
the webpage. There are other "filemanagers" written in flash which might also
do the job. The reason why I'm "cheering" for flash, is that:

 1) I don't fancy Java
 2) Most people got flash installed
 3) Almost no-one has that fancy chrome thingy (cannot remember what
    it's called), which enables you to drag/drop files between your local
    system and the browser

Is this required to be a closed system? If not, maybe you use ubuntu
one or dropbox to sync the files between the different computers...
___
batman

On Thu, Nov 12, 2009 at 10:14 PM, Tom Hukins <tom at eborcom.com> wrote:
> Given that several people here run various Web sites, I'm hoping
> someone can point me in the right direction.
>
> I host a few Web sites on a Unix box and so far I have copied files
> there using scp, or edited them directly on the box.  That works well
> for me.
>
> I now want to let a semi-technical person upload a site from a Windows
> XP box.  Fine, I thought, I'll create a new account and provide SFTP
> access, pointing this person (who has used FTP before) to WinSCP.
>
> Unfortunately, with this approach I can't prevent SSH logins easily,
> and I can't restrict access to a subset of the machine's file system.
> Ideally, I'd like to do both for security reasons.
>
> I could faff around with chroot and run separate services, but as I
> only play at sysadmin in my spare time, I like to keep things simple.
>
> Running WebDAV over https within Apache might do the job, but WebDAV
> feels like a heavy protocol and I've seen XP play with it badly in the
> past, admittedly around 5 years ago.  Also, to keep everything
> encrypted, I need to give the server a certificate.
>
> Thinking backwards, I guess I want to:
> 1) Make the process as easy as possible for the uploader
> 2) Reduce the risk to my system, should the account become compromised
> 3) Reduce the chance of making the account compromised (encryption)
>
> I suspect some sort of ideal solution may not exist, but I would
> welcome any thoughts, insight or creative workarounds you lot might
> come up with.
>
> Tom
> _______________________________________________
> MiltonKeynes-pm mailing list
> MiltonKeynes-pm at pm.org
> http://mail.pm.org/mailman/listinfo/miltonkeynes-pm
>

More information about the MiltonKeynes-pm mailing list