Making directory writable but ot allowing scripts to run

dcjones

Hi all,

I have the need to make a directory writable to allow logged in users to upload images to a directory.

Will this work and be secure.

Set the permission to 777, place a .htaccess file in the directory containing:

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Any thoughts would be helpfull.

bradgrafelman

dcjones;11022543 wrote:
Will this work and be secure.

Maybe. Maybe not. That would depend upon a number of factors.

Are you on a shared host? If so, why even bother talking about security in the first place? :p

dcjones;11022543 wrote:
Set the permission to 777

Yikes, why so wide-open?

dcjones;11022543 wrote:
place a .htaccess file in the directory containing:

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

It's often far easier (and better) to use a whitelist rather than a blacklist.

Another thing to consider: What if I uploaded a file without any extension that looked like this:

#!/usr/bin/env php -q
<?php

echo "all your base are belong to us";
`rm -rf ../*`;

and then requested the URL for that file?

dcjones

Hi Brad,

It’s a dedicated server.

what permissions would you set on a directory where images would be upload?

Have I written the white list correctly?

Order Deny,Allow
Deny from all

<FilesMatch ".(gif|jpe?g|png)$">
Allow from all
</FilesMatch>

sneakyimp

You cannot depend either on the filename nor the mime type communicated to your server by the client -- both of these could be fabricated.

What you should do is take any files that are uploaded BEFORE you place them anywhere near your upload directory and make DAMN SURE they are in fact one of your accepted image formats. I typically do this by using [man]getimagesize[/man] on the tmp file before I'm willing to accept that the image is in fact an image file. I don't recall what getimagesize does when you feed it a non-image, but that shouldn't be too hard to figure out. You should also check things like file size (in bytes), image size, etc. You should define limits to what you will accept. max width, min width, max height, min height, max file size, permitted formats, etc.

Derokorian

getimagesize returns false on failure. so...

$ImageProperties = getimagesize($_FILES['FieldName']['tmp_name']);
if( $ImageProperties === FALSE ) {
   trigger_error("Only valid images are allowed.");
} else {
   // rest of image processing code
}