Page 1 of 1

Uploading arbitrary files...

Posted: Thu Sep 18, 2008 4:12 pm
by alex.barylski
I have a script which allows arbitrary file types to be uploaded...

My server is (from what I understand) configured to only run PHP -- I would double check on a live machine.

WHat are the dangers in allowing uploading of arbitrary files? If my LAMP setup does not have Ruby or other scripting languages installed and I disabled PHP from executing in the directories where uploads are allowed would this suffice?

Code: Select all

 
<Directory /var/www/app/public/uploads/> 
  php_admin_flag engine off
</Directory> 
 

Re: Uploading arbitrary files...

Posted: Fri Sep 19, 2008 2:40 am
by Maugrim_The_Reaper
Does it have to allow arbitrary files? Would it be possible to implement a whitelist of allowable file types?

Re: Uploading arbitrary files...

Posted: Mon Sep 29, 2008 1:38 pm
by kaisellgren
How about you change the file extension if it is not white listed?

malicious.php -> malicious.php.txt

:)?

If the user wants to keep the extension, he could zip it.