防止执行子目录中的.htaccess文件
[英]Prevent .htaccess files within subdirectories from being executed
问题描述
I have a service where a user is allowed to upload anything they please. 
我有一项服务,允许用户上传他们喜欢的任何东西。 I have code execution and others disabled, but I cannot find a way to prevent a .htaccess file they upload from executing. 我已经执行了代码,并禁用了其他代码,但是我找不到阻止他们上载的.htaccess文件的方法。
1 个解决方案
解决方案1
0 已采纳 2012-11-24 08:26:29
You should always rename user uploaded files! 您应该始终重命名用户上传的文件! If you do not do that, user can easily upload hack.php and then launch it to get your site hacked or abused. 如果您不这样做,用户可以轻松地上传hack.php ,然后启动它以使您的网站被黑或滥用。 So this is in fact your problem. 所以这实际上是您的问题。
Rename your files after upload. 上传后重命名文件。 Keep original name (along with ie size, mime type etc) in database and route file download/view via the script which would take that original name from DB and build proper headers and then file() content of that file to the user. 在数据库中保留原始名称(以及大小,mime类型等),并通过脚本路由文件下载/查看,该脚本将从DB获取原始名称并构建适当的头,然后将该文件的file()内容提供给用户。 That would prevent a file from being executable on your server 那会阻止文件在服务器上执行
Or if that's the problem with .htaccess only (but I dare to say it is wider) then you can configure apache to ignore .htaccess in certain directories. 或者,如果仅是.htaccess的问题(但我敢说它更宽),则可以将apache配置为在某些目录中忽略.htaccess。 It requires root rights on the machine, but you can add <Directory FOLDER> block to host configuration and put AllowOverride None in it. 它需要计算机的root权限,但是您可以将<Directory FOLDER>块添加到主机配置,然后在其中添加AllowOverride None 。
Or, just check target filename on upload and reject any .htaccess and .htpassword . 或者,只需检查上载的目标文件名并拒绝任何.htaccess和.htpassword 。 Or anything with name starting with . 或任何以开头的名称.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.