|
|
Posted by C. on 07/25/07 11:35
On 25 Jul, 07:27, Sanders Kaufman <bu...@kaufman.net> wrote:
> FFMG wrote:
> > Hi,
>
> > My users can upload images in a folder on my system.
> > What minimum attribute should I give the created, (@fopen($new_file,
> > 'wb');), files and folder?
>
> > I limit the extension of files, (images), but I want to prevent them
> > from executing any code on the server.
>
> > What attributes would you suggest?
>
What is your security model?
I'd usually go with drwxrSxr-x for upload dirs (with a group including
webserver uid and web developer uids) and -rw-rw-r-- for files. But a
group excluding web server uid for non-uploaded content.
> Just a note about this.
> I found out a few years ago that you also should strip header
> information out of GIF images. You can put PHP code in there, and it
> executed when the gif is displayed.
>
This only applies if the PHP parsing engine is invoked on the file.
This is usually determined by the file extension:
> > I limit the extension of files,
But its probably better practice to convert to a different img format
and back again using GD to be on the safe side.
C.
Navigation:
[Reply to this message]
|