In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)
Is there a way to tell apache not to parse any files with php in web/uploads and simply display them as plain text? What are other options?
Keep them all under the same folder and set this line in the directory's .htaccess
file:
php_flag engine off
That will also take care of other exploits such as embedding PHP code in .gif files.
You want the Apache SetHandler directive: http://httpd.apache.org/docs/current/mod/core.html#sethandler
This lets you force all files in a directory to be processed by a certain handler. So something along the lines of:
<Location /web/uploads>
SetHandler None
</Location>
should do what you want.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With