tags:

views:

137

answers:

4
+3  Q: 

How to prevent a specific directory from running Php, Html, and Javascript languages?

Hi, Let's say i have an image uploader script, i want to prevent the upload directory from executing Php or even html by only showing it as plain text, i've seen this trick in many websites but i don't know how they do it.

Briefly, if i upload evil.php to that directory, and i try to access it i will only see a plain text source , No html or php is executed. ( but i still want the images to appear normally ofcourse)

I know i can do like that by header("content-type:text/plain"); but that's will not be helpful, because what i want, is to set the content-type:text/plain automatically by the server for every thing outputed from the upload directory except images.

Note: i'm running php 5.3.2/Cent OS and the latest cPanel.

Thanks

+3  A: 

At the very least, you'll want to put the following in your .htaccess file for the upload directory:

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
sblom  2010-04-11 22:22:49
You would set this only for a specific directory.
VolkerK  2010-04-11 22:27:23
Thank you so much :)
Emily  2010-04-11 22:27:28
+1  A: 

Put a .htaccess in the upload directory.

AddType 'text/plain' .php .html

or

ForceType 'text/plain'
#...
SHiNKiROU  2010-04-11 22:23:48
A: 

Since you're talking about an image uploader, you don't want to display images as plain/text. How would you separate images from malicious files? During that task, just block saving the particular file.

BalusC  2010-04-11 22:25:36
BalusC, i only went to header the non-images as plain/text. thanks
Emily  2010-04-11 22:29:21
A: 

Do a Google search for "disable script execution for directory" to turn up a number of options. This one is my favorite:

AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi .js

The only downside is that you have to explicitly name the extensions not to run, but it may be possible (just a hunch) to use some sort of wild card so that all file extensions are considered plain text, and then manually add the Mime Type for your standard image extensions.

Anthony  2010-04-11 22:25:50

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases