I have a service where a user is allowed to upload anything they please. I have code execution and others disabled, but I cannot find a way to prevent a .htaccess file they upload from executing.
You should always rename user uploaded files! If you do not do that, user can easily upload hack.php and then launch it to get your site hacked or abused. So this is in fact your problem.
Rename your files after upload. Keep original name (along with i.e. size, mime type etc) in database and route file download/view via the script which would take that original name from DB and build proper headers and then file() content of that file to the user. That would prevent a file from being executable on your server
Or if that's the problem with .htaccess only (but I dare to say it is wider) then you can configure apache to ignore .htaccess in certain directories. It requires root rights on the machine, but you can add <Directory FOLDER> block to host configuration and put AllowOverride None in it.
Or, just check target filename on upload and reject any .htaccess and .htpassword. Or anything with name starting with .
Related
I know similar questions have been asked, but none of it guided me to the right solution.
What I want to do
Use .htaccess in a /uploads folder to ensure that only file with appropriate extension can be uploaded. (e.g. jpg, png)
What I have done
modify /etc/httpd/conf/httpd.conf
to allow overwrite of .htaccess file
create .htaccess file in /uploads folder
To test if .htaccess has been read, I have tried to put garbage in .htaccess file and access it from the browser. Corresponding error has been generated, therefore, .htaccess file is working properly.
Problem
The following script has been added to .htaccess
order deny,allow
deny from all
However, I am still able to upload files with any extensions to /uploads folder.
I have tried different suggestions from similar posts with no luck. Looking for new directions from you guys.
Thanks.
The name of the uploaded file is part of the body of the POST request the browser is making to the server, thus the .htaccess rules can't be enforced in your situation. Unless you are using some uploading schema, like creating a placeholder on the server and then submitting the file to that placeholder.
if you are using a GET method with base64 encoded string in your url, you can use .htaccess to redirect to an upload script base on the mime-type of that string. however I guess this is not what you trynna achieve. .htaccess is not appropriate in your case. if you need to control the extension of an uploaded file, you should make the process directly in your uploading script (php, python, whatever).
I have a 2.5GB file that I want to allow users to download after they buy it. I originally planned on hiding the file and then just using readfile to dump the file's contents with .zip headers but my GoDaddy server apparently won't allow me to use readfile on such a large file, so I'm stuck with changing the name of this important file every hour. But if someone can just list all the files on my www folder anyway then people can take it without paying for it.
Any suggestions?
As long as you don't allow indexing of the directory then they can't obtain a file listing. To do that create a .htaccess file in the directory and add:
Options -Indexes
Alternatively, if the folder has an index page this will also prevent the server disclosing a directory listing and instead serve the index page.
if you have more than 5 gig host so use the php exec command to copy your file with another name
let say you keep your file with a unguessable name in a unguessable folder
so whenever the buyer confirm the order then you copy the file to a known folder with user-generated name, then pass the link to user
if your host is linux then use cp command if it's windows use copy
use something like cp oldname.ext newname.ext or copy oldname.ext newname.ext
after a certain time you will delete the file in the known folder
I'm developing a very simple PHP upload feature in my site to permit users to upload JUST images. Apart from checking the mime-type through php I wanted a .htaccess file to rule what can be uploaded and what can't.
I want to insert the .htaccess in my root folder and from there writing the rules for all the folders I need to be ruled.
It's the first time I work with .htaccess and from the internet I was able to find this:
http://pastebin.com/0KNHEbw0
But it doesn't work. I'm testing it locally with my xampp on win7 and I see that I can upload any type of files in the "oggetti" folder.
What's that is wrong?
And then, to rule other folders should I write something like this?
http://pastebin.com/dFMUu1g0
Thank you in advance!
You can't control what files are uploaded through a .htaccess file: Apache, the web server parsing those commands, deals with serving the files only.
You will need to do these checks in the PHP script that handles the upload process. Note that checking the MIME type sent with the file is not a reliable method to determine a file's type! The value sent can be manipulated by an attacker. To ensure a file is an image file, you could e.g. use getimagesize().
This cannot be accomplished using .htaccess. I'm guessing what you're trying to do is prevent malicious scripts from accidentally being executed on the server. The way I normally handle file uploads like this is:
Insert filename, mime-type, etc., into a database with an auto_increment ID.
Use the ID as the file name - no extension, and place the file in a directory outside of your webroot. This way you're certain nobody can execute the file.
When a file is requested, query the database for filename mime-type and id, and send the file to the user with readfile() (follow the link for an example).
I'm using php and MYSQL. I've created a members area where people can upload important images (basically for financial record). I was hoping to get some advice as to the best way to store these files. What kind of folder structure would be best? Ex domain.com/Files/UserName/RandomGeneratedName/Files.
Also any advice for chmod, .htaccess, .htpassword and any kind of password protection with php.
Thanks in advance.
I would recommend to store them outside the tree. In this way, by default you need to enable access to them, not disable access (just in case you have a bug in your .htaccess/config/code, the access to the files is disabled, not enabled)
Second, get rid of the random directory, it doesn't add much to the security, but it complicates the implementation unnecessarily
You can use php to check the member credentials, put the appropriate headers (mime type for ex., etag, etc.), and serve the file via passthru or something similar.
Best way:
protect the directory with .htaccess
add an index.html to directory "just in case"
use random file names to store them in your directory
use php/mysql to check if user has access rights to your files
example:
You have a file in domain.com/protecteddir/sdjasdu83299sdnYUsb.dat
You can use php/mysql to send to user to a virtual directory to download the file. You can throw the correct file header + file name via php. So even if the file is called sdjasdu83299sdnYUsb.dat the user would download it as "myfinancial.doc"
The user will never know what the real file is located nor its name.
Your .htaccess file should contain:
<Files *>
Order Allow,Deny
Deny from All
</Files>
you could .htaccess for URL Rewriting and get the index.php file (write this code: ) in folder that save your files, so when anyone want to enter this folder:
First: he dont know real address
second: due there is a index.php that offer to home page he could not enter.
Among many folders available on the server by default like "public_html", "public_ftp" or simply the root, which one is the best to upload and store users' images safely which I can also add a link to mysql db?
If your clients upload images via http form, store it in public_html if they need access it from web.
I recommend you to save the files somewhere in "public_html" and create the following file to restrict public access:
file: upload/.htaccess
deny from all
In your php script you can send the files only to the users with access.
In my opinion, store it outside of the public htdocs folder. This is so that if someone manages to upload anything other than an image file (such as an evil PHP script), they won't be able to call it (and it won't run).
If you're public_html folder is say /path/to/website/public_html I'd store them in /path/to/website/uploaded_images
Also, make sure you that validate it so that it uses a white-list of allowed image names (such as only allowing .jpg, .gif and .png)
Edit:
You also need to create a script which opens the image file and passes it through back to the user
Define safely.
If you want to display these images on a site, that will be a folder in public_html, obviously, unless you want to use a script which presents the images to the user, possibly altering the image on-the fly, changing cache headers etc. Then you may move that folder outside of docroot anywhere the script will have access to those files.
Personally I store user images, files and everything in docroot, protected by .htaccess and accessed via a script which handles user permissions, if necessary. The files reside in an /uploaded folder with subfoldering up to 2 levels deep, each 'level' storing up to 1024 dirs/files. Files are named by their ids only, without any extension, all file info is stored in database. Took me some time to implement, but thankfully this is a reusable code.
Any folder inside your document root is fine. If you want it to be secure, make sure your script accepts only allowed file typed and, as another measure, put an .htaccess file inside that folder:
<FilesMatch "*.php">
SetHandler None
</FilesMatch>
This will ensure nothing get's executed from inside this directory.