|
|
Posted by gosha bine on 07/25/07 08:41
On 25.07.2007 07:47 FFMG wrote:
> Hi,
>
> My users can upload images in a folder on my system.
> What minimum attribute should I give the created, (@fopen($new_file,
> 'wb');), files and folder?
>
> I limit the extension of files, (images), but I want to prevent them
> from executing any code on the server.
>
> What attributes would you suggest?
>
> FFMG
>
A file must be readable by the webserver, so if php runs as web server
user, the minimal chmod would be 400. However, if you want to access it
in other ways, e.g. per FTP under your own credentials, you have to
grant it 444 or even 666 (== read-write by everyone - this does not mean
"by everyone on the web" though)
Code execution has in general nothing to do with permissions. Webserver
will only execute a file if explicitly instructed to execute files with
given extension. So, if the file extension is ".php" it will be
executed, if the extension is ".gif" it won't, even if it contains
chunks of php code.
That is, the protection from "remote execution" attacks of this kind is
quite simple: if you offer file uploads, always make sure file extension
matches its content and only allow extensions from your whitelist.
--
gosha bine
makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi
Navigation:
[Reply to this message]
|