开发者

How to handle upload of .php files without possibility of executing them?

开发者 https://www.devze.com 2022-12-16 13:30 出处:网络
I want to allow my users to upload .php files to the server, but also want to make sure the files are harmless to my application开发者_Go百科.

I want to allow my users to upload .php files to the server, but also want to make sure the files are harmless to my application开发者_Go百科.

Any suggestions?

Thank you.


I recommend the ‘disable script execution in the uploads directory’ approach. This is the only solution that’s completely safe.

Just add this rule to the .htaccess file inside the uploads directory:

php_value engine off


A couple of solutions:

  • Rename them to .phps
  • Disable execution of PHP in the upload directory in your webserver configuration


Option 1: Store them with a different filename and store the original filename as part of the metadata, e.g. in a database table.

Option 2: Disable script execution on the uploads directory.

Option 3: Rename them to .phps (an accepted extension for the display of raw PHP)


Just don't execute them, that's enough.

Make sure that your application doesn't run or include user-uploaded files at any point (e.g. by using a GET parameter to include a file without any sanitation).

Also make sure the uploaded files are not accessible from outside with the .php extension.

In a normal, halfway properly coded workflow, uploaded .php files do not pose a security risk no matter what code they contain.


Make the upload directory separate, write-only and not visible from the internet (this will prevent them accessing their own script after uploading).

You can then moderate new scripts and do as you see fit.

0

精彩评论

暂无评论...
验证码 换一张
取 消