Uploading files
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Uploading files
When uploading files and assuming your PHP is running under Apache user: nobody or apache. How do you ensure the security of the files system?
In order to allow PHP to upload a file and move it into a directory which is created by PHP shortly after upload, having a permission 777 is not good for safety.
775 is no better because then PHP can move files into the directory and/or edit/delete, etc.
Do you:
1) Run PHP as it's own user or use phpsuexec
2) Use FTP functions to change the permissions to 777 when uploading and back to 775 when finished?
The later is probably the best choice for widely distributed PHP applications, although I will likely have complete control over this environment.
Incase I missed a technique or a detail, what do you all think?
In order to allow PHP to upload a file and move it into a directory which is created by PHP shortly after upload, having a permission 777 is not good for safety.
775 is no better because then PHP can move files into the directory and/or edit/delete, etc.
Do you:
1) Run PHP as it's own user or use phpsuexec
2) Use FTP functions to change the permissions to 777 when uploading and back to 775 when finished?
The later is probably the best choice for widely distributed PHP applications, although I will likely have complete control over this environment.
Incase I missed a technique or a detail, what do you all think?
You should only put files that are uploaded via a form to a non-http accessable directory.
In other words, upload them to /usr/local/www/my_uploads instead of /usr/local/www/htdocs/my_uploads
Then, when you are doing, move it to a directory that has like 766 or 755 or whatever. That's one quick step.
The next thing to do is check the header information and ensure that the file they are trying to uploads matches the file type you are expecting (img, txt, etc).
There are a million other things. I'm sure the others can shed more light on the subject.
In other words, upload them to /usr/local/www/my_uploads instead of /usr/local/www/htdocs/my_uploads
Then, when you are doing, move it to a directory that has like 766 or 755 or whatever. That's one quick step.
The next thing to do is check the header information and ensure that the file they are trying to uploads matches the file type you are expecting (img, txt, etc).
There are a million other things. I'm sure the others can shed more light on the subject.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
That is one alternative, but unfortunately not available to me. I need the files accessible by web server and using a proxy script isn't an acceptable solution. Basically I need read only access to the files but my PHP scripts need write access, which complicates things, because PHP (in my case right now anyways) is running under user: Apache.infolock wrote:You should only put files that are uploaded via a form to a non-http accessable directory.
I'm wondering if I could just use some shell scripts which wrap native commands invoked by PHP through exec() to carry out moving files, deleting and creating file and directories...
If the shell scripts are "owned" by a user say "shell" then when invoked via exec:
Code: Select all
exec('createdirs.sh');
exec('deletedirs.sh /uploads');
exec('movefiles.sh /tmp /uploads');Cheers
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
I might have to go that route...but...
1) I may not always have access to outside of the docroot.
2) I have two folders which hold images and generic files. I glob those files and display them in a list inside a WYSIWYG, etc. When people edit the HTML which references those resources I would have to now find the file references and replace the URL with the proxy script instead. PITA essentially and additional processing.
Those two reasons had me seek an alternative. I thought originally I could use some shell scripts run under a different user, but now it seems that most *nix distro's frown upon that and don't actually obey the setuid flag on shell scripts - only executables.
My other alternative is to consider running PHP as CGI/PHPSUEXEC...this is the direction I think I will move in as it won't require substantial changes to existing source - hopefully.
1) I may not always have access to outside of the docroot.
2) I have two folders which hold images and generic files. I glob those files and display them in a list inside a WYSIWYG, etc. When people edit the HTML which references those resources I would have to now find the file references and replace the URL with the proxy script instead. PITA essentially and additional processing.
Those two reasons had me seek an alternative. I thought originally I could use some shell scripts run under a different user, but now it seems that most *nix distro's frown upon that and don't actually obey the setuid flag on shell scripts - only executables.
My other alternative is to consider running PHP as CGI/PHPSUEXEC...this is the direction I think I will move in as it won't require substantial changes to existing source - hopefully.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Well all the paths are currently:
If I move those files into:
Obviously the files will be broken.
I suppose I could use mod_rewrite to to convert requests into a proxy.php script, such that:
Is that what you were hinting at?
Cheers
Code: Select all
var/www/somedomain.com/uploads/images/
http://somedomain.com/uploads/images/logo.gifCode: Select all
var/www/uploads/I suppose I could use mod_rewrite to to convert requests into a proxy.php script, such that:
Code: Select all
proxy.php?file=var/www/uploads/Cheers
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Yes.Hockey wrote:I suppose I could use mod_rewrite to to convert requests into a proxy.php script, such that:
Is that what you were hinting at?Code: Select all
proxy.php?file=var/www/uploads/
Cheers
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Sweet. That will actually work. 
Can you tell me how to adjust the following mod_rewrite code I dug up:
This apparently feeds all requests through a front controller *except* when inside a directory called "blog". I need the opposite. I need everything to be ignored *except* anything inside an "uploads" directory. In which case I need to forward the request as well as the URL of the file onto proxy.php.
Then inside the proxy I guess I just check the extension, set the approriate headers and send back as a blob?
Can you tell me how to adjust the following mod_rewrite code I dug up:
Code: Select all
RewriteEngine on
RewriteBase /
RewriteRule ^blog/(.*)$ blog/$1 [L]
RewriteRule !\.(gif|jpeg|jpeg|cgi|js|ico|gif|jpg|png|css)$ index.phpThen inside the proxy I guess I just check the extension, set the approriate headers and send back as a blob?