By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,934 Members | 1,441 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,934 IT Pros & Developers. It's quick & easy.

What is the best chmod for a fopen/fwrite?

P: n/a

Hi,

My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?

I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.

What attributes would you suggest?

FFMG
------------------------------------------------------------------------
FFMG's Profile: http://www.httppoint.com/member.php?userid=580
View this thread: http://www.httppoint.com/showthread.php?t=18736

Message Posted via the webmaster forum http://www.httppoint.com, (Ad revenue sharing).

Jul 25 '07 #1
Share this Question
Share on Google+
8 Replies


P: n/a
FFMG wrote:
Hi,

My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?

I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.

What attributes would you suggest?

Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.

Freaky.
Jul 25 '07 #2

P: n/a
On 25.07.2007 07:47 FFMG wrote:
Hi,

My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?

I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.

What attributes would you suggest?

FFMG
A file must be readable by the webserver, so if php runs as web server
user, the minimal chmod would be 400. However, if you want to access it
in other ways, e.g. per FTP under your own credentials, you have to
grant it 444 or even 666 (== read-write by everyone - this does not mean
"by everyone on the web" though)

Code execution has in general nothing to do with permissions. Webserver
will only execute a file if explicitly instructed to execute files with
given extension. So, if the file extension is ".php" it will be
executed, if the extension is ".gif" it won't, even if it contains
chunks of php code.

That is, the protection from "remote execution" attacks of this kind is
quite simple: if you offer file uploads, always make sure file extension
matches its content and only allow extensions from your whitelist.
--
gosha bine

makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi
Jul 25 '07 #3

P: n/a

Sanders Kaufman;83072 Wrote:
FFMG wrote:
Hi,

My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?

I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.

What attributes would you suggest?


Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.

Freaky.
More the reason why I should prevent the 'image' from executing.

So what attributes should I set then?

FFMG
--

'webmaster forum' (http://www.httppoint.com) | 'webmaster Directory'
(http://www.webhostshunter.com/) | 'Recreation Vehicle insurance'
(http://www.insurance-owl.com/other/car_rec.php)
'Free URL redirection service' (http://urlkick.com/)
------------------------------------------------------------------------
FFMG's Profile: http://www.httppoint.com/member.php?userid=580
View this thread: http://www.httppoint.com/showthread.php?t=18736

Message Posted via the webmaster forum http://www.httppoint.com, (Ad revenue sharing).

Jul 25 '07 #4

P: n/a
..oO(FFMG)
>Sanders Kaufman;83072 Wrote:
>Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.

More the reason why I should prevent the 'image' from executing.
Whether the webserver will "execute" a file primarily depends on the
file extension. A file myImage.gif.php doesn't even have to have any
execution bits set - if the server can read it, PHP can load and
interpret it.
>So what attributes should I set then?
Nothing special. The file just has to be readable for the webserver.

Just keep an eye on the file extension, especially if you allow users to
directly access their uploaded files:

http://example.com/user/myImage.gif.php

Or use a script to deliver the files to the user, so the webserver won't
even try to handle the file it on its own.

Micha
Jul 25 '07 #5

P: n/a
C.
On 25 Jul, 07:27, Sanders Kaufman <bu...@kaufman.netwrote:
FFMG wrote:
Hi,
My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?
I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.
What attributes would you suggest?
What is your security model?

I'd usually go with drwxrSxr-x for upload dirs (with a group including
webserver uid and web developer uids) and -rw-rw-r-- for files. But a
group excluding web server uid for non-uploaded content.
Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.
This only applies if the PHP parsing engine is invoked on the file.
This is usually determined by the file extension:
I limit the extension of files,
But its probably better practice to convert to a different img format
and back again using GD to be on the safe side.

C.

Jul 25 '07 #6

P: n/a
Rik
On Wed, 25 Jul 2007 08:27:55 +0200, Sanders Kaufman <bu***@kaufman.net>
wrote:
Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.
Only on lousy webserver setups.
--
Rik Wasmus
Jul 25 '07 #7

P: n/a
gosha bine wrote:
Code execution has in general nothing to do with permissions.
Unless CGI is available on the server, in which case the execute bit is
rather important.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 36 days, 17:43.]

Cryptography Challenge
http://tobyinkster.co.uk/blog/2007/0...pto-challenge/
Jul 27 '07 #8

P: n/a
On 27.07.2007 16:05 Toby A Inkster wrote:
gosha bine wrote:
>Code execution has in general nothing to do with permissions.

Unless CGI is available on the server, in which case the execute bit is
rather important.
Agreed, good point. ;)

--
gosha bine

makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi
Jul 27 '07 #9

This discussion thread is closed

Replies have been disabled for this discussion.