dou6495 2010-06-03 11:08
浏览 227
已采纳

将uploads文件夹保留在'public_html'之外是否足以保护我的应用程序免受恶意上传的侵害?

Although I realise there are different approaches to securing upload process, I'm still confused when it comes to basic principles. I want to allow users to upload any kind of file they want, but keep my app secure. So my question is:

Is it sufficient to store the files with their original names in 'uploads' folder outside 'webroot' and fetching them via some download.php script?

If it't not secure enough, please point me in the right direction, or suggest what additional steps I should take to make it safe. Thank you.

  • 写回答

2条回答 默认 最新

  • douren5490 2010-06-03 11:14
    关注

    No, it isn't enough.

    When you save the uploaded file, you must ensure that nothing malicious happens (e.g. if the file's "original name" was something like "../somewhere else" it might be possible to overwrite another file, including some PHP script under public_html, which would then allow a cracker to obtain a higher level of access). It's probably wisest to generate a random name or at least sanitise the original filename before using it.

    In a similar way, download.php must be immune to being 'tricked' into retrieving a file that is outside the download directory.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 有人能看一下我宿舍管理系统的报修功能该怎么改啊?链表那里总是越界
  • ¥15 cs loadimage运行不了,easyx也下了,没有用
  • ¥15 r包runway详细安装教程
  • ¥15 Html中读取Json文件中数据并制作表格
  • ¥15 谁有RH342练习环境
  • ¥15 STM32F407 DMA中断问题
  • ¥15 uniapp连接阿里云无法发布消息和订阅
  • ¥25 麦当劳点餐系统代码纠错
  • ¥15 轮班监督委员会问题。
  • ¥20 关于变压器的具体案例分析