Making directory writable but ot allowing scripts to run
Results 1 to 5 of 5

Thread: Making directory writable but ot allowing scripts to run

  1. #1
    The Englishman
    Join Date
    Sep 2002
    Location
    Warwickshire, England
    Posts
    816

    Making directory writable but ot allowing scripts to run

    Hi all,

    I have the need to make a directory writable to allow logged in users to upload images to a directory.

    Will this work and be secure.

    Set the permission to 777, place a .htaccess file in the directory containing:

    AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
    Options -ExecCGI

    Any thoughts would be helpfull.
    Kind regards, keep safe and well.

    Dereck.

    Better three hours too soon than a minute too late.

    If it's good to go, be sure to mark it resolved.
    It's at the top of the page under "Thread Tools"

  2. #2
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,429
    Quote Originally Posted by dcjones View Post
    Will this work and be secure.
    Maybe. Maybe not. That would depend upon a number of factors.

    Are you on a shared host? If so, why even bother talking about security in the first place?

    Quote Originally Posted by dcjones View Post
    Set the permission to 777
    Yikes, why so wide-open?

    Quote Originally Posted by dcjones View Post
    place a .htaccess file in the directory containing:

    AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
    Options -ExecCGI
    It's often far easier (and better) to use a whitelist rather than a blacklist.

    Another thing to consider: What if I uploaded a file without any extension that looked like this:
    Code:
    #!/usr/bin/env php -q
    <?php
    
    echo "all your base are belong to us";
    `rm -rf ../*`;
    and then requested the URL for that file?

  3. #3
    The Englishman
    Join Date
    Sep 2002
    Location
    Warwickshire, England
    Posts
    816
    Hi Brad,

    It’s a dedicated server.

    what permissions would you set on a directory where images would be upload?

    Have I written the white list correctly?

    Order Deny,Allow
    Deny from all

    <FilesMatch "\.(gif|jpe?g|png)$">
    Allow from all
    </FilesMatch>
    Kind regards, keep safe and well.

    Dereck.

    Better three hours too soon than a minute too late.

    If it's good to go, be sure to mark it resolved.
    It's at the top of the page under "Thread Tools"

  4. #4
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,887
    You cannot depend either on the filename nor the mime type communicated to your server by the client -- both of these could be fabricated.

    What you should do is take any files that are uploaded BEFORE you place them anywhere near your upload directory and make DAMN SURE they are in fact one of your accepted image formats. I typically do this by using getimagesize on the tmp file before I'm willing to accept that the image is in fact an image file. I don't recall what getimagesize does when you feed it a non-image, but that shouldn't be too hard to figure out. You should also check things like file size (in bytes), image size, etc. You should define limits to what you will accept. max width, min width, max height, min height, max file size, permitted formats, etc.
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  5. #5
    Senior Member Derokorian's Avatar
    Join Date
    Apr 2011
    Location
    Denver
    Posts
    1,785
    @sneakyimp

    getimagesize returns false on failure. so...

    PHP Code:
    $ImageProperties getimagesize($_FILES['FieldName']['tmp_name']);
    if( 
    $ImageProperties === FALSE ) {
       
    trigger_error("Only valid images are allowed.");
    } else {
       
    // rest of image processing code

    Sadly, nobody codes for anyone on this forum. People taste your dishes and tell you what is missing, but they don't cook for you. ~anoopmail
    I'd rather be a comma, then a full stop.
    User Authentication in PHP with MySQLi - Don't forget to mark threads resolved - MySQL(i) warning

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •