dsdukbc60905239 2018-05-29 09:55
浏览 53
已采纳

如何拒绝执行特定apache目录下的任何文件?

I'm using apache2 and php. I built a form that lets the user to upload files to a specific directory. I already implemented some other security things, but I would also like to deny the execution of any file on that directory. They're meant to be only downloaded and not executed by users or scripts.

I've got the following code for htaccess, but it's a fake one, not sure of the syntax, nor if it's the best way of doing it:

<Location "/example/mydir/">
    <Files .>
        ForceType application/octet-stream
        Header set Content-Disposition attachment
    </Files>
</Location>

Could you please help me correct that code or point me to best practices?

  • 写回答

1条回答 默认 最新

  • doufu8887 2018-05-29 10:29
    关注

    Providing file upload/download facilities is a huge can of worms. In addition to the possibility of attacking your server there's also questions about data smuggling. malware and intellectual property. But since you are specifically asking about the former...

    Disabling PHP execution in this way only provides a single layer of prevention. if that layer fails for some reason then your security is gone. Also, this only prevents execution of the content if the webserver is pointed directly at the URL of the file - it doesn't provide any protection if someone can trick the existing php code into including the content.

    A minimal approach would be to store the content outside of directories accessible by URLs (i.e. outside of the document root and any other mapped directories).

    This does not prevent the inclusion vulnerability but eliminates the direct addressing vulnerability. All access to the content must then be mediated by a PHP script. But on the upside, its a lot easier to avoid OMGWTFs like:

    ForceType application/octet-stream

    Switching off PHP execution (php_flag engine off) is a better solution to disabling execution than changing the mime type. Forcing a mime type like this is always a bad idea.

    An alternative/complementary approach, would be to encode the files thus preventing code inclusion vulnerabilities.

    It's also a good idea to allocate your own filenames to the artefacts on your host filesystem.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 软件定义网络mininet和onos控制器问题
  • ¥15 微信小程序 用oss下载 aliyun-oss-sdk-6.18.0.min client报错
  • ¥15 ArcGIS批量裁剪
  • ¥15 labview程序设计
  • ¥15 为什么在配置Linux系统的时候执行脚本总是出现E: Failed to fetch http:L/cn.archive.ubuntu.com
  • ¥15 Cloudreve保存用户组存储空间大小时报错
  • ¥15 伪标签为什么不能作为弱监督语义分割的结果?
  • ¥15 编一个判断一个区间范围内的数字的个位数的立方和是否等于其本身的程序在输入第1组数据后卡住了(语言-c语言)
  • ¥15 Mac版Fiddler Everywhere4.0.1提示强制更新
  • ¥15 android 集成sentry上报时报错。