Uploading

[nakinney]

Ill try to be brief.  I's using a website with a high school computer science class that I teach next year.  During our discussion of high level programming, I would like them to upload simple php programs to practice loops and functions.  Handling the uploads is no problem, but I'm concerned about security.  Question 1 - if my students are not going to be malicious, is my concern unjustified?  Second, could I give each student their own directory such that if something was hypothetically harmful it would only effect the content of that users directory?  I have limited experience with these sorts of issues, but I can probably figure things out with a little advice.  Thanks Nick

[premiso]

How I would do it:

Each student as a login, they must login before they upload. When they upload the data is stored in "their folder" a custom php.ini should be used in the "upload" folders which limits what functions are allowed to use, IE: deny them to use cURL / fopen / file_get_contents / open_basedir / chdir / fwrite / fputs / fgets / exec / system / eval / set_time_limit / ini_set / file_open_url should be false (to prevent including of remote files)

 

There may be others you want to add to that list, but as long as the server supports custom php.ini for a folder it should trickle down (test before going live obviously).

 

The issue, as you are well aware of it seems, is that an infinite loop (accidental or maliciously) can cause the server to crawl / hault. You may want to set the script execution / timeout limit to be 20s instead of the default 30s for this reason. But this probably will effect the majority of the students, so be aware of that. As for the harmful being only to that directory, well as long as you take the precautions to not allow them to read in any file data, write any file data, change directories...then yes, technically speaking (given no other loop holes) it "should" be fine. But this will limit to what the students are being taught / are able to test.

 

Along with all that, you can also setup each student with their own "directory root" or "Location" I am not sure which one is the one you want but googling can help, using the httpd.conf / virtualhosts file. This way when they browse to say Webserverip/studentname they are locked to that directory and it acts as a root to prevent malicious file manipulation. The main thing is though to keep a running log on the server of who logs in etc (which should be done by default in apache) then you can get the IP / what action was taken by the users etc / who uploaded what code. (You could even code this into the upload portion). But in the end it all depends on how proactive you want to be.