douzhang1852 2009-09-05 00:57
浏览 58

文件上传安全性,htaccess和更改扩展名

all. I'm pretty new to web development, so please be gentle. Apologies if I'm posting a topic that's already been discussed; I searched but couldn't find quite what I was looking for in another thread.

Background: I have a site that allows file uploads, but once uploaded, they won't need to be viewed by anyone but me. I've implemented some security measures such as having the php upload script only allow certain extensions, chmoding uploaded files to 0644, and using -ExecCGI for various extensions in an htaccess file inside the uploads folder.

The questions (three of them; aren't you lucky):

1) I'd like to have my htaccess file rewrite php extensions as something else. I found a bit of code to do this, but can't seem to get it to work:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
RewriteCond %{REQUEST_METHOD} ^MOVE$
RewriteRule ^(.*)\.php /site_redone/uploads/$1.nophp

the site structure goes like this (at least for now while I'm redoing the site): mysite.com/site_redone/uploads

I know that the host of my shared server allows mod_rewrite. They're running php 5.2.10. Not sure if my problem is a path issue (I haven't quite grasped that part yet), but have tried various path permutations in the RewriteRule part to no avail.

2) I currently have the file names being appended with a kind of time stamp (time()) to prevent overwriting by a file of the same name, so for example, myfile.doc becomes myfile1252087685.doc. I can store the extension in a MySQL database and just rewrite the file name to end in .txt or something in my php upload script, but I'm not sure if that'll accomplish the same thing as the above mod_rewrite attempt.

3) Is there a way to put the htaccess file in a higher directory from the uploads folder so it can't get overwritten my some ne'erdowell while it's in the uploads folder? I only want it to affect the uploads folder, not the directory in which it's placed, though. I'm guessing this somehow involves using Directory, but I don't know how to do that. Did I mention I'm new at this?

Thanks in advance!

  • 写回答

2条回答 默认 最新

  • doupo2157 2009-09-05 01:27
    关注

    I think the RewriteRule regex matches against the whole path, not one relative to the location of the .htaccess file. Not sure about that though.

    So you may want to try a regex like this:

    ^.*/([^/]*).php$

    Or maybe:

    ^/site_redone/uploads/([^/]*)\.php$

    I've never put a mod_rewrite RewriteRule in a subdirectory before, so the above is suggested for your top level .htaccess

    I don't think <Directory> is allowed in .htaccess, but there's some other similar directive that works. (FilesMatch or something?)

    Wait... didn't you say you want to deny web access to the whole folder? you can mod rewrite anythything that starts with /site_redone/uploads/ to a php script that displays an error page with an access denied http error code. So an expression like this: ^/site_redone/uploads/.*$

    评论

报告相同问题?

悬赏问题

  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 划分vlan后不通了
  • ¥15 GDI处理通道视频时总是带有白色锯齿
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)
  • ¥15 自适应 AR 模型 参数估计Matlab程序
  • ¥100 角动量包络面如何用MATLAB绘制
  • ¥15 merge函数占用内存过大
  • ¥15 使用EMD去噪处理RML2016数据集时候的原理
  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大