PHP File upload, Secure?
This is what I want an user to be able:
- Upload ANY file to the server (attachment) to the uploads folder
- Be Able to download it afterwards
So I have created this dir with the following 开发者_JAVA技巧.htaccess
Allow from all
DirectoryIndex .x
php_flag engine off
Options -Indexes
Options -ExecCGI
AddType text/plain .html .htm .shtml .php .php3 .php5 .phtml .phtm .pl .py .cgi
ForceType applicaton/octet-stream
My question is, is this secure?
I would like to say: no
It should be more secure if you deny access from all and manage the download via a script that deliveres the files. Furthermore you should rename the files, so that there e.g. nobody places his own htaccess or whatever. The original filenames you can store in a DB.
Why: You will never know what happens in the future, some files can later get executable, somewhere else you place an insecure script that allows users to include those uploaded files, and so on.
I also agree with Dr.Molle that you should rename the files and send them dynamically.
But instead of sending them via a script, which will take up much more memory than necessary, I highly recommend using mod_xsendfile for Apache.
With mod_xsendfile, instead of outputting the file through PHP, you can simply send the XSendFile headers:
<?php
header('Content-Disposition: attachment;filename=originalname.txt');
header('X-Sendfile: /path/to/file.txt');
?>
This way, you can keep all the files OUTSIDE the web directory root and therefore completely inaccessible to the outside world. You won't have to worry about .htaccess at all.
If your host allows you to install new Apache modules, you'll need apxs installed (it probably will be). If it's not installed, you'll need to rebuild Apache with apxs enabled. In my experience, if you can manage it, it's worth it. XSendFile saves SO much trouble.
I agree that it would be much better to download them via special script. But if it's not possible, do two things:
- If you wish users to be able to download files, you can add attachment HTTP response header
Header set Content-disposition "attachment"
which will force browser to download file instead of rendering it. Still, you have to make sure files won't be accessible through other potential vulnerabilities like File Inclusion. - Forbid execution for upload directory with
chmod -R a-x
精彩评论