Trying to figure out some security for allowing file uploads in my PHP script. My main goal is to allow image files to be uploaded.
So. Well I don't have a simple test upload form made yet, the upload form I have at the moment is just in my script that only I use.
1. Researching file permissions. (Not going to work to prevent php code being executed). Skip to 2.
I remember in some old school cgi and php where we upload a script to our website and there were instructions of chmod all these different files and directories and making them executable and some files 0644 and 0755 and that one file to 0777. I just stopped following those chmod instructions once php 3.x came out or 2.8 or something, just upload and run the script, I don't even know if it was needed in the first place unless you screw up your stack install user group permissions or cgi-php.
Ok let's just say I have a script and supposed to only upload image files. But I uploaded a php file. I don't really have the upload script just yet, just testing different things with the file system chmod permissions.
I have a simple script to check the file permissions.
is_executable returns false for a php file on my Windows 10 - Apache-PHP-MySQL Bitnami Stack. And the php code does run when browser opens it.
Code: Select all
<?php
//chmod2.php
echo "<pre>\n";
var_dump(decoct(fileperms('somefile.php')));
echo "\n";
//win10: string(6) "100666"; linux: string(6) "100644"
var_dump(is_executable('somefile.php'));
echo "\n";
//returns false on both systems
var_dump(is_executable('somefile.exe'));
//Windows10: true. Linux: false
?>Code: Select all
<?php
/*
Windows 10 Apache-PHP-MySQL Bitnami Stack
somefile.php will execute correctly in browser
somefile.exe wont execute the code and will prompt the browser to download
Linux Server
somefile.php will execute correctly in browser
somefile.exe wont execute the code and will prompt the browser to download
*/
echo "h0ere is a test file";
?>But if you are running a different setup or just using cgi then yes the file permissions could be useful. I am just testing the setup environment that I usually use, my testing machine: local windows/linux-ubuntu with bitnami stack of apache-php-mysql and paid service live linux server.
2. Using .htaccess to disable PHP in the upload folder.
The Apache documents mention to try not to use .htaccess because of a performance hit. Instead use httpd main server config. But I think I will be using .htaccess in a directory used for image uploads and maybe html/text.
I think I do have access to the httpd main server config file. So I will research both options. I do wonder how much of a performance hit it is, but I'll just take their word at that for the moment.from: https://httpd.apache.org/docs/2.4/howto/htaccess.html
You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.
Disable the PHP engine to the uploads folder. Create the .htaccess file in the uploads directory, type in the php_flag engine off. I am not sure yet how I will setup my uploads directory, probably something like _docroot/uploads/some_kind_of_subfolder and then I can have the .htaccess in that uploads/
There seems to be some kind of caching going on and it is stuck using that cached file and it is annoying. I guess the browser is stuck downloading the same uploads/somefile.php even after I deleted .htaccess and I updated the php file to echo a different string but the browser is just still downloading the old file. I quit messing with this. So yes, with that .htaccess file, PHP is disabled for that uploads directory and php files will prompt user to download the file as source code.
It shouldn't be too hard to figure out how to do that from httpd main server config file. Something like a <Directory "/my/path"></Directory> I would guess, and the php_flag engine off, I guess.
3. Lets Build the Upload Script
phpflare_uploadfile.php:
Code: Select all