Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent uploaded file from being executed?

Tags:

apache

How can i prevent uploaded file from being executed? For example, someone could upload php file and use it to hack site, i want to prevent it.

Best that way that i know is using directory permissions, and set it to 666?

Is there some htaccess magic that i can do?

like image 418
grizwako Avatar asked Jun 16 '11 07:06

grizwako


2 Answers

You can just put a .htaccess in your upload folder with the following line :

php_flag engine off

It will disable PHP execution in this directory.

Edited to answer comments : chmod 666 does not prevent PHP execution. It simply marks files as non-executable so you can't run them directly as scripts or binaries. PHP does not care about the permissions of the file, as long as it is readable, it will get parsed and executed by the engine.

So if your server has multiple engines (PHP, Jelly, whatever) you will have to manually build a configuration file that will prevent files within a folder from being interpreted. You could make a script that would generate that file based on what engines are installed on the machine.

like image 189
user703016 Avatar answered Nov 01 '22 00:11

user703016


Permissions will not work if you modify them using FTP client and your server scripts are not using the same user/permissions (normal WordPress scenario).

If you want to avoid it with .htaccess, this may help.

Tested in Litespeed server version 5.4.10

<Files *.php>
deny from all
</Files>
<Files *.*>
deny from all
</Files>
<Files myfile.php>
deny from all
</Files>
like image 28
Juanma Rodríguez Avatar answered Oct 31 '22 23:10

Juanma Rodríguez