Disable PHP Preprocessing

[Milosz]

Hello,

 

I am presently developing an online file-sharing system similar to fileplanet, mediafire, yousendit, and the like. Users are able to upload files, and view a list of uploaded files for downloading. I have found the following security hole: users can upload a PHP script, then inject Javascript handled by that PHP into my page. Needless to say, this opens up a world of hacking possibilities. Furthermore, if a less mischievous user were to upload a PHP script simply to share it, the receiver would be disappointed to find that he has downloaded the HTML output of the PHP file.

 

I think that both of these problems can be dealt with by disabling the execution of PHP for a given folder (in other words, serving PHP as simple, unprocessed text). I am using WAMP server (I know, Linux rocks and so forth, don't flame me - I have my reasons) with PHP5. I'm assuming that whether or not PHP is executed is handled by .htaccess files. There may be a completely different solution that doesn't involve Apache directives, I don't know.

 

If anyone has information relating to the above, please share!

[trq]

Unfortunately you can't disable php on a per directory basis (as far as I'm aware). However, what you can do is disable it globally and then enable it only within the directories you wish by adding this to your .htaccess file, or even within your virtual host configurations.

 

AddType application/x-httpd-php .php

[Milosz]

My root document is index.php, so I must place an .htaccess file with the AddType directive into my root folder. Unfortunately, this enables PHP execution for all subfolders as well. The folder containing uploaded files is a subfolder of the root, so it is affected by this directive. Therefore my possibilities are either storing my root document outside the root, or storing my uploaded files folder outside the root. I don't know how to set either up. Any suggestions?

[PFMaBiSmAd]

The folder that you place uploaded files into should either be a folder that is outside of your web document folder or have a .htaccess file that prevents http/https access to all.

 

Here is the setting that will prevent the parsing of php code - http://us3.php.net/manual/en/apache.configuration.php

[Milosz]

The folder that you place uploaded files into should either be a folder that is outside of your web document folder or have a .htaccess file that prevents http/https access to all.

 

Here is the setting that will prevent the parsing of php code - http://us3.php.net/manual/en/apache.configuration.php

 

Hi,

 

Thank you, that worked perfectly. I'm wondering about what you said above. If I prevent http/https access to all, then users won't be able to download the files directly. Are you suggesting using an alternate method of serving these files? Actually, I often see websites serving files under URL's that don't end in an extension. What are the advantages of using this method and how is it done?

 

And thanks thorpe for your interest! I conclude this problem solved

 

[PFMaBiSmAd]

If the files are stored in a folder outside of the web document root or in a folder where http/https access is denied, then yes, any listing or downloading of files would need to be done through a script that access them and outputs the contents.

 

For downloading, you probably should be doing it this way anyway so that you can limit who can download the files and/or track who or how many times each file is downloaded. You can also prevent output of these files when people put direct links to them on their own web sites, by making sure someone who is downloading them have visited your page with the download link.

[trq]

And thanks thorpe for your interest! I conclude this problem solved

 

No worries. And it would appear we both learnt something!