dsdukbc60905239 2018-05-29 01:55
浏览 53
已采纳

如何拒绝执行特定apache目录下的任何文件?

I'm using apache2 and php. I built a form that lets the user to upload files to a specific directory. I already implemented some other security things, but I would also like to deny the execution of any file on that directory. They're meant to be only downloaded and not executed by users or scripts.

I've got the following code for htaccess, but it's a fake one, not sure of the syntax, nor if it's the best way of doing it:

<Location "/example/mydir/">
    <Files .>
        ForceType application/octet-stream
        Header set Content-Disposition attachment
    </Files>
</Location>

Could you please help me correct that code or point me to best practices?

  • 写回答

1条回答 默认 最新

  • doufu8887 2018-05-29 02:29
    关注

    Providing file upload/download facilities is a huge can of worms. In addition to the possibility of attacking your server there's also questions about data smuggling. malware and intellectual property. But since you are specifically asking about the former...

    Disabling PHP execution in this way only provides a single layer of prevention. if that layer fails for some reason then your security is gone. Also, this only prevents execution of the content if the webserver is pointed directly at the URL of the file - it doesn't provide any protection if someone can trick the existing php code into including the content.

    A minimal approach would be to store the content outside of directories accessible by URLs (i.e. outside of the document root and any other mapped directories).

    This does not prevent the inclusion vulnerability but eliminates the direct addressing vulnerability. All access to the content must then be mediated by a PHP script. But on the upside, its a lot easier to avoid OMGWTFs like:

    ForceType application/octet-stream

    Switching off PHP execution (php_flag engine off) is a better solution to disabling execution than changing the mime type. Forcing a mime type like this is always a bad idea.

    An alternative/complementary approach, would be to encode the files thus preventing code inclusion vulnerabilities.

    It's also a good idea to allocate your own filenames to the artefacts on your host filesystem.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

悬赏问题

  • ¥15 VAE代码如何画混淆矩阵
  • ¥15 求遗传算法GAMS代码
  • ¥15 雄安新区高光谱数据集的下载网址打不开
  • ¥66 android运行时native和graphics内存详细信息获取
  • ¥100 求一个c#通过CH341读取数据的Demo,能够读取指定地址值的功能
  • ¥15 rk3566 Android11 USB摄像头 微信
  • ¥15 torch框架下的强化学习DQN训练奖励值浮动过低,希望指导如何调整
  • ¥35 西门子博图v16安装密钥提示CryptAcquireContext MS_DEF_PROV Error of containger opening
  • ¥15 mes系统扫码追溯功能
  • ¥40 selenium访问信用中国
手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

客服 返回
顶部