tags:

views:

51

answers:

2
+3  Q: 

PHP: allowing upload of .php files for users, how do I prevent them from running?

I am allowing people to upload their project files, I've tightened my security but I just need to get to the simple point. How can I stop execution of any files in the subdirectories they're uploading too?

I'm thinking .htaccess but I'd need to generate one for each new subdirectory (I think), would I need to scrap my current code and use a .php file to send headers to force DL on the file instead of running?

What do you think is an easy and safe solution for this? It just uploads to a subdirectory like uploads/~foo/bar.html or something, it looks nice that way so it'd be nice if it can stay like that format.

A: 

Put this in uploads/.htaccess:

RemoveType application/x-httpd-php .php

This will work for all subfolders. Also make sure you don't parse .htaccess in the users folders. This can be done by AllowOverride None in the main server config, or it can be done by not allowing uploads of .htaccess files in the first place.

Emil Vikström  2010-06-19 09:36:28
Thank you alot, I thought and did disallow .htaccess from being uploaded, but the allowoverride would add the safetly I'd like.Thank you so much!
John S.  2010-06-19 09:43:23
Actually, how would I allow this to not effect upload.php I got in there? lol
John S.  2010-06-19 09:49:50
Actually don't worry! I got a directory back one that has nothing in it, I'll place the scripts there.
John S.  2010-06-19 09:51:12
So then what if the file name is `../../backdoor.php` ? If you do this alone, it can be bypassed. You also have to check the file name, its just a variable in an HTTP request that can be any value.
Rook  2010-06-20 18:11:03
A: 

If for example these uploaded files are in the directory "uploads" and subdirectories of it:

RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php [NC]
RewriteCond %{REQUEST_URI} \/uploads\/
RewriteRule ^(.*)$ index.php [F,L]
Radek Suski  2010-06-19 09:39:03

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases