Page 1 of 1

[solved]Stop users running PHP scripts they've uploaded

Posted: Tue May 01, 2007 8:25 am
by Grim...
I'm making an online file storage app, which lets users upload any file they like and store it.
If they write a php script with the right include path to the config.php file (which will be easy as I am going to release the source when it's finished), they can currently upload it and list out all the passwords (or they can write a script which delete folders, or whatever).

Is there any way to stop php scripts (and anything else for that matter) from running in these 'user' folders, while still letting them get at the information that's there?

I've fiddled with chmod, but setting the file to read+write only (ie. no excecute) didn't make any difference.

I'm trying to avoid forcing them to download the file to see it, so if there are other options, that would be great.

Re: Stop users running PHP scripts they've uploaded

Posted: Tue May 01, 2007 8:27 am
by Grim...
Grim... wrote:I'm trying to avoid forcing them to download the file to see it, so if there are other options, that would be great.
Actually, that wouldn't help anyway - once their file exists on the server, they could just browse straight to it.

Posted: Tue May 01, 2007 8:28 am
by Oren
mod_rewrite + file_get_contents()

Posted: Tue May 01, 2007 8:30 am
by feyd
Use .htaccess to turn the PHP engine off. That stops it cold. :)

http://php.net/ref.apache#apache.configuration

Posted: Tue May 01, 2007 9:15 am
by Grim...
I'm a bit crappy at .htaccess, so bear with me:
Do I have to do anything besides create a file called '.htaccess' in the subfolder (with the 'bad' php scripts in) with the contents

Code: Select all

php_flag engine off
Do I need to reload apache or anything?

The reason I ask is because it doesn't seem to work :(

[edit]Hold the phone, it works!
It was just a cached version of the old script I was seeing.
It works for subfolders, too!

Thanks for your time, both :)

Posted: Tue May 01, 2007 10:12 am
by Grim...
Quick question that doesn't really deserve it's own thread:
Why won't adding 'php_flag safe_mode off' into the .htaccess file turn off safe mode?
Is it restricted elsewhere?

Posted: Tue May 01, 2007 10:14 am
by feyd
Note the access permissions level: http://php.net/features.safe-mode#ini.sect.safe-mode

Posted: Tue May 01, 2007 10:31 am
by Grim...
Um... Which bit now?

Posted: Tue May 01, 2007 10:40 am
by feyd
The first row of data in table 42.1.

Posted: Tue May 01, 2007 10:52 am
by Grim...

Code: Select all

Name         Default  Changeable 
safe_mode    "0"      PHP_INI_SYSTEM
That bit?

I get the feeling I'm being a bit dumb here, but I'm missing the point...

Posted: Tue May 01, 2007 10:54 am
by feyd
Look up what PHP_INI_SYSTEM means...

http://www.php.net/manual/en/ini.php#id9555669

Posted: Tue May 01, 2007 10:55 am
by Grim...
Durr. Thanks mate.

All over the web, there are reports of other people doing this sucessfully. Sucks to be me.