开发者

Allowing users to upload ANYTHING

I'm building a file sharing site, and I'm thinking, I want my users to be able to upload and share anything.

Sounds dangerous, I know. But, is there a method to allow this to be possible? For example, forcing the download when the user requests the link with a mime type? Rather than "running" something on the page.

Any ideas h开发者_如何学Pythonow to allow any file type without the security issue.

Thanks


  1. Store the file on a location not accessible by the user through the browser. (so above the document root)
  2. when loading a file, use the readfile() function.
  3. Set correct headers, including these:

    header("Content-Description: File Transfer");
    header("Content-Disposition: attachment; filename=[INSERT FILENAME HERE]");
    

    And also use the correct content-type header for each type of file


If you only want it to be dangerous to other users (as they will be sharing virus ridden files in no time), but provide some protection for your web server from code injection attacks, you might consider storing the uploads in a database BLOB field. That should at least make it harder to inject code that will run on the server.


You can allow users to upload anything by using a simple HTML multipart form along with PHP's $_FILES. Only issue I see is file size limits.

You than can simply post a link to any of these files. It's the user's browsers settings that determine if a file is executed or downloaded, not yours. So you can suggest that they right click on them, and select 'save to', but besides that it's limited.


Any ideas how to allow any filetype without the security issue.

You say it yourself. It's like wanting to make scrambled eggs, without wanting to break the eggs.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜