duankan8739 2011-02-09 17:31
浏览 34
已采纳

这样安全吗? (PHP下载脚本)

I have a quick question about how safe this is to do. I have written a php force download script and the part that actually serves the file should look pretty familiar:

header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header('Content-Length: ' . filesize("user_files/".$temp_actual));
header('Content-Disposition: attachment; filename="'.$filename."\"");
readfile("user_files/".$temp_actual);

$filename is the filename they see and $temp_actual is the REAL filename on my server. Obviously there is a mountain of code above this to prevent bad things happening but basically, users should be able to download any content they have uploaded. if they upload a .php file, I really don't want it running on the server, i want it delivered to them via force downoad (and they DO need to be able to upload any file type).

It works as intended, with all file extensions being force downloaded, but I just want to make absolutely certain that they can't run any php or html files on my server.

Additional info

user_files is in the website root however is .htaccess "deny from all" every file in the user_files directory is appended .file instead of the original extension the original extension is replaced when the user downloads their file (maybe a bit over the top).

  • 写回答

4条回答 默认 最新

  • dongshuohuan5291 2011-02-10 13:44
    关注

    Ok so the answer is:

    it seems pretty safe to do this. For all you guys saying about input filtration etc.. let me give you a quick lowdown:

    Listen guys, obviously there is more checking involved so please dont reply with a user could upload xx.xx and overwrite your xx or download xx from /../../../../ although I do appreciate your help I should have re-worked the question a little. Assume the uploads and downloads are air tight.

    example filename evil.php

    • an upload script takes the users file strips anything that is not: a-zA-Z0-9,!-_

    • then removes the extension, stores it and the real name in a database #(and the new filename)

    • the file is renamed lets say 12345.file and stored in user_files

    • user_files has a CHMOD of 700 and a .htaccess reading deny from all

    • when the user wants to get their file, a script accesses the database and gets the real filename, the old filename and the extension, it tells the users browser the name of the file is oldfilename.extension (evil.php) however it is still on the filesystem as 12345.file. It then sets headers for a download and uses readfile() to read the contents to the browser.

    To check users can't get my server to PARSE php, I commented out the headers that open the save file download box and just used readfile(). the result was that the php was dumped to the page, but NOT PARSED. Further testing with eval() showed that it is not parsed either. Which is most helpful. =)

    (and after reading up a bit the headers above should be changed from application/force-download to application/octet-stream (the correct mime type).

    Thanks everyone who replied for all of your help - I hope this can clear stuff up for anyone that stumbles across this question in the future!

    Peace!

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统