stackoom
  简体   繁体   中英

Prevent execution of uploaded php files?

 原文  2011-05-04 15:11:01       php/ .htaccess/ apache2

Question

In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)

Is there a way to tell apache not to parse any files with php in web/uploads and simply display them as plain text? What are other options?

3 answers

solution1
 12 ACCPTED  2011-05-04 15:17:06

Keep them all under the same folder and set this line in the directory's .htaccess file:

php_flag engine off

That will also take care of other exploits such as embedding PHP code in.gif files.

solution2
 2  2011-05-04 15:19:02

You want the Apache SetHandler directive: http://httpd.apache.org/docs/current/mod/core.html#sethandler

This lets you force all files in a directory to be processed by a certain handler. So something along the lines of:

<Location /web/uploads>
SetHandler None
</Location>

should do what you want.

solution3
 0  2011-05-04 15:13:16

why not just rename the file extensions upon upload to .phps ?

To clarify PHPS is the source code view of a PHP file:

To clarify:

file.php => file.phps

quick google example:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to name uploaded files in php to prevent them from being overwritten? Code execution from uploaded files Moving uploaded files with php Unset uploaded files in PHP Securing uploaded files in PHP PHP Listener for Uploaded Files PHP uploaded files and temp files Retrieve uploaded files in uploaded sequence yii php How to prevent execution of a PHP file? prevent double execution of code in PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM