可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:
ServerAdmin webmaster@localhost ServerName mysite.com ServerAlias www.mysite.com DocumentRoot /home/me/www/mysite.com/www/ Options FollowSymLinks AllowOverride All Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from All ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined
回答1:
Put this in your .htaccess:
# @mivk mentionned in the comments that this may break # directory indexes generated by Options +Indexes. SetHandler default-handler
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
# Important for security, prevents someone from # uploading a malicious .htaccess AllowOverride None SetHandler none SetHandler default-handler Options -ExecCGI php_flag engine off RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo AllowOverride None SetHandler none SetHandler default-handler Options -ExecCGI php_flag engine off RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:
/home/me/www/ |- myuploadscript.php |- protected/ |- .htaccess |- upload/ |- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.
AFAICT, you should be pretty safe with that.
回答2:
My Godaddy setup wont allow me to edit the httpd.conf files, and the php_flag command doesn't work due to how they've implemented php for me.
I was able to use this in my .htaccess file:
SetHandler default-handler AddType text/plain php
I put this in the directory above where my FTP user is allowed to access, which forces all PHP files in that directory, as well as all sub-directories to show php as plain text.
This will work for other file types as well. All you need to do is add another line with whatever extension of file you want to be forced to display in plain text. AddType text/plain cgi for example
