Uploading arbitrary files...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Uploading arbitrary files...

Post by alex.barylski »

I have a script which allows arbitrary file types to be uploaded...

My server is (from what I understand) configured to only run PHP -- I would double check on a live machine.

WHat are the dangers in allowing uploading of arbitrary files? If my LAMP setup does not have Ruby or other scripting languages installed and I disabled PHP from executing in the directories where uploads are allowed would this suffice?

Code: Select all

 
<Directory /var/www/app/public/uploads/> 
  php_admin_flag engine off
</Directory> 
 
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Uploading arbitrary files...

Post by Maugrim_The_Reaper »

Does it have to allow arbitrary files? Would it be possible to implement a whitelist of allowable file types?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Uploading arbitrary files...

Post by kaisellgren »

How about you change the file extension if it is not white listed?

malicious.php -> malicious.php.txt

:)?

If the user wants to keep the extension, he could zip it.
Post Reply