堆栈内存溢出
  简体   繁体   English

如何保护正在执行的上传文件夹中的文件

[英]How to protect files in upload folder being executed

 原文  2011-02-15 22:21:44       php/ .htaccess/ security

问题描述

I have a upload folder where users can upload anything, all file types are allowed... 我有一个上传文件夹,用户可以上传任何内容,允许所有文件类型...

But, there is a problem... 但有个问题...

If user upload .php file, that file won't be offered to download it, it will be executed, so if user upload dangerous php file, that will delete folders, or browse, or display secured data, it will do that, so anyone can have access to server... 如果用户上传.php文件,该文件将不会被提供下载,它将被执行,因此如果用户上传危险的php文件,删除文件夹,浏览或显示安全数据,它就会这样做,所以任何人都可以访问服务器...

How can I protect executing in that folder? 如何保护该文件夹中的执行?

I try with CHMOD 755 for that folder, but then files can't be uploaded... 我尝试使用CHMOD 755获取该文件夹,但无法上传文件...

Is there any way to protect this without php scripts or file type checking while upload or something, just to block executing in that specific folder... 有没有办法保护这个没有PHP脚本或文件类型检查上传或其他东西,只是为了阻止在该特定文件夹中执行...

Maybe with .htaccess or something? 也许用.htaccess或其他什么?

Thank you... 谢谢...

4 个解决方案

解决方案1
 4  2011-02-15 22:23:23

将目录放在公共www-scope之外,并使用脚本使用file_get_contents或类似方法获取文件。

解决方案2
 3  2011-02-15 22:26:26

My first inclination is to say "Don't do that!". 我的第一个倾向是说“不要那样做!”。

But if you must do it for whatever reason: upload the files into a directory that's not accessible by Apache. 但是如果你出于某种原因必须这样做:将文件上传到Apache无法访问的目录中。 Then write a script that reads the files and outputs their contents. 然后编写一个读取文件并输出其内容的脚本。

It's still a bad idea IMHO. 恕我直言,这仍然是一个坏主意。 That doesn't prevent someone from using Javascript to do all sorts of nasty things to other users. 这并不妨碍某人使用Javascript向其他用户做各种令人讨厌的事情。

Edit Based on your comments I'm adding a bit to my answer: 编辑根据您的评论,我在答案中添加了一些内容:

You have to remember that on the web there are multiple layers of "execution", and really it's interpreted, but I won't argue semantics. 你必须要记住,在网络上有多层“执行”,实际上它是被解释的,但我不会争论语义。 If Apache serves your file and it is designed to be interpreted by Apache, Apache will interpret it (usually a scripting language such as PHP). 如果Apache服务于您的文件并且它被设计为由Apache解释,那么Apache将解释它(通常是脚本语言,如PHP)。 If you download a file designed to be interpreted by the browser (HTML, Javascript, CSS), it will be interpreted by the browser and all of the programs that go along with that. 如果您下载了一个旨在由浏览器解释的文件(HTML,Javascript,CSS),它将被浏览器和所有与之相关的程序解释。

If you can't use a script to read the file (which will only prevent Apache from doing something with it) you could have your uploader ZIP the file. 如果你不能使用脚本来读取文件(这只会阻止Apache对它做一些事情),你可以让你的上传程序压缩文件。 That way it's always being downloaded in the correct format. 这样,它总是以正确的格式下载。

解决方案3
 2 已采纳  

Put this in the .htaccess of the folder to disable PHP: 把它放在文件夹的.htaccess中以禁用PHP: 

php_flag engine off

In case you're using FastCGI or not mod_php : 如果你正在使用FastCGI或不使用mod_php 

RemoveHandler .php

解决方案4
 0  2011-02-16 15:03:02

Why dont you filter php files? 为什么不过滤php文件? do you really need your users uploading php file? 你真的需要你的用户上传php文件吗? you can filter for known dangerouns extensions. 你可以过滤已知的dangerouns扩展。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何保护codeIgniter中公共文件夹中的文件? - How to protect files in public folder in codeIgniter? 如何保护从其他文件夹删除文件 - how to protect deleting files from other folder 如何保护公共图像上传文件夹免受操纵/直接访问 - How to protect a public image upload folder from manipulation/direct access 如何上传包含文件的完整文件夹 - How to Upload a Full Folder with their files fileinput上传和预览,保护文件 - fileinput upload and preview, protect files .htaccess不能保护文件夹中的文件 - .htaccess doesnt protect files in folder 保护文件夹内的特定文件 - Protect specific files inside folder 如何保护PDF文件不被下载或复制 - How to protect PDF files from being downloaded or copied 如何保护我的服务器上的php文件不被请求 - How to protect my php files on the server from being requested 如何编写.htaccess并保护Laravel中的站点文件和文件夹 - how to write .htaccess and protect sites files and folder in laravel
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM