N-Bomb(Nerd) Posted September 3, 2012 Share Posted September 3, 2012 Hello, I'm aiming to a create a small-sized file hosting website. Of course the main idea for me is security. Would simply changing the chmod to directory to only allow read access prevent from any executions? Are there any exploits for this? Also, what would be the best approach to use to keep file names in tact, but not copy/write over any other files? How do upload websites achieve the (virtual?) directory structures such as: example.com/10t/yourfile.pdf Quote Link to comment Share on other sites More sharing options...
Hydrian Posted September 3, 2012 Share Posted September 3, 2012 For the file names just have a user having to register before uploading a file. Then set a var that randomises a url and set another function making sure that each url isnt the same. if a post is say like hasent been visited for 5months delete it Quote Link to comment Share on other sites More sharing options...
N-Bomb(Nerd) Posted September 3, 2012 Author Share Posted September 3, 2012 For the file names just have a user having to register before uploading a file. Then set a var that randomises a url and set another function making sure that each url isnt the same. if a post is say like hasent been visited for 5months delete it I'm not even looking to have users to register. Simply go to the website. Upload. Link. Quote Link to comment Share on other sites More sharing options...
Hydrian Posted September 3, 2012 Share Posted September 3, 2012 well you should have a user system. It would make things alot easier. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted September 5, 2012 Share Posted September 5, 2012 Hydrian: I'm really curious as to why you believe adding a completely unrelated set of functions will help on the security of an upload script? In other words, when making statements like these you need to explain why you think it would make it easier. N-Bomb: The basic stuff you have to verify is filenames, paths, MIME-types and that the files are actually of the type they are reported as. Exactly how you do that latter part really depends upon the filetype, and what you want to allow your users to upload. Ranging from extremely simple (pure text files), to the more convoluted (executables, images and such). If you want to allow your users to upload any arbitrary file, then you really need to keep your tongue straight. Mostly because it would be trivial to take control over your server, if the users can get to the files outside of your download controller. Which means that you cannot permit direct linking to the file, at least not without ensuring that there is no possible way for the web server to try to parse anything within the folder. It's much easier to just have the uploaded files outside of the web root, and have a PHP file that reads the file's contents and prints it to the browser. Along with the correct headers, of course. In any case, you do have some reading up to do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.