开发者

How to ban all executable files on Apache

I would like to find out the most effective way to ban any executable files from 开发者_如何学运维one specific sub folder on my server. I allow file uploads by users into that folder, and would like to make that folder accessible from the web. I have the root folder pretty much locked down with mod_rewrite. In that one unprotected sub-folder I have .htaccess with:

Options +Indexes  
IndexOptions +FancyIndexing +FoldersFirst +HTMLTable  
RewriteEngine off

I know it is best to just restrict file uploads to a certain allowable file types, and I am already doing this in php. I am checking file extension, and mime type before allowing an upload like this:

$allmime=array('image/gif', 'image/png', 'image/jpeg', 'application/msword', 'application/pdf');
$allext=array('png', 'jpg', 'gif', 'doc', 'pdf');
$path=pathinfo($_FILES['file']['name']);
$mime=trim(shell_exec("file -bi " . $_FILES['file']['tmp_name']));
if( !in_array( $path['extension'], $allext) || !in_array($mime, $allmime) ){
    //ban
}else{
    //allow
}

However I am not certain if there is some convoluted hack out there that will still allow a shell script to be uploaded and executed on the server, since all of the successfully uploaded files will be visible immediately.

I know there is another option in .htaccess to filter out files like this:

<FilesMatch "\.(sh|asp|cgi|php|php3|ph3|php4|ph4|php5|ph5|phtm|phtml)$">
    order allow, deny
    deny from all
</FilesMatch>

However I am not certain that this list is all-inclusive, plus this is hard to maintain, as new extensions might be installed in the future.

To sum it all up: Anyone knows a good way to disallow all server executables, with the exception of php scripts directly executed by the %{HTTP_HOST}?


You can do several things to absolutely lock down certain folders to ensure PHP is not able to execute in them, particularly useful if doing a PHP upload script and you don't want the world to be able to execute arbitrary code on your server by exploiting your upload code:

  • disable the PHP engine entirely in .htaccess for the folder in question:

  php_flag engine off

  • force the Content-Disposition header to attachment for files that are not of a finite list of file types you are expecting, for example:

  ForceType application/octet-stream
  Header set Content-Disposition attachment
  <FilesMatch "(?i)\.(gif|jpe?g|png)$">
    ForceType none
    Header unset Content-Disposition
  </FilesMatch>

  • prevent uploading of files with any extension which can be executed by an Apache module like PHP directly in your uploader code


How about disabling the server-side handlers for that specific directory? Something like:

<Directory /path/to/restrict>
    SetHandler None
    Options None
    AllowOverride None
</Directory>

This is untested, but seems like it might work.

UPDATE: Apparently, I was wrong ... but sticking AddHandler default-handler in an .htaccess does seem to work.


From twitter's bootstrapper .htaccess, this works for me (just added exe):

# Block access to backup and source files.
# These files may be left by some text editors and can pose a great security
# danger when anyone has access to them.

<FilesMatch "(^#.*#|\.(exe|bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

Results in:

Forbidden

You don't have permission to access /test/test.exe on this server.


The best way (imo) is just to turn off the x in the subfolder (executable permission in linux). So I would change the permissions to 644 (logged in you can read and write, but the world can only read). This can be done in cpanel. Make sure to apply that to sub folders as well.


Filtering by the uploaded filename is how malicious users will get bad things on to your server. The $_FILES name and type attributes are user supplied data and nothing says a user can't upload a PHP script but call it 'puppies.jpg'

Proper way to filter is to use something like Fileinfo and check actual MIME types and filter on that


Deny complete access to folder in an .htaccess file, and then use a download script to download the file, would save a lot of trouble.


Look here

The following rule will forbid .exe (i added .bat) files from being downloaded from your server:

<Directory "/my/files">
    Require all granted
     RewriteEngine on
     RewriteRule "(\.exe|\.bat)" "-" [F]
</Directory>
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜