开发者

How to protect files in upload folder being executed

I have a upload folder where users can upload anything, all file types are allowed...

But, there is a problem...

If user upload .php file, that file won't be offered to do开发者_开发问答wnload it, it will be executed, so if user upload dangerous php file, that will delete folders, or browse, or display secured data, it will do that, so anyone can have access to server...

How can I protect executing in that folder?

I try with CHMOD 755 for that folder, but then files can't be uploaded...

Is there any way to protect this without php scripts or file type checking while upload or something, just to block executing in that specific folder...

Maybe with .htaccess or something?

Thank you...


put the directory outside the public www-scope and use a script the fetches the file using file_get_contents or similar.


Put this in the .htaccess of the folder to disable PHP:

php_flag engine off

In case you're using FastCGI or not mod_php:

RemoveHandler .php


My first inclination is to say "Don't do that!".

But if you must do it for whatever reason: upload the files into a directory that's not accessible by Apache. Then write a script that reads the files and outputs their contents.

It's still a bad idea IMHO. That doesn't prevent someone from using Javascript to do all sorts of nasty things to other users.

Edit Based on your comments I'm adding a bit to my answer:

You have to remember that on the web there are multiple layers of "execution", and really it's interpreted, but I won't argue semantics. If Apache serves your file and it is designed to be interpreted by Apache, Apache will interpret it (usually a scripting language such as PHP). If you download a file designed to be interpreted by the browser (HTML, Javascript, CSS), it will be interpreted by the browser and all of the programs that go along with that.

If you can't use a script to read the file (which will only prevent Apache from doing something with it) you could have your uploader ZIP the file. That way it's always being downloaded in the correct format.


Why dont you filter php files? do you really need your users uploading php file? you can filter for known dangerouns extensions.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜