Hi,
My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?
I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.
What attributes would you suggest?
FFMG
------------------------------------------------------------------------
FFMG's Profile: http://www.httppoint.com/member.php?userid=580
View this thread: http://www.httppoint.com/showthread.php?t=18736
Message Posted via the webmaster forum http://www.httppoint.com, (Ad revenue sharing). 8  3553 
FFMG wrote:
Hi,
My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?
I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.
What attributes would you suggest?
Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.
Freaky.
On 25.07.2007 07:47 FFMG wrote:
Hi,
My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?
I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.
What attributes would you suggest?
FFMG
A file must be readable by the webserver, so if php runs as web server
user, the minimal chmod would be 400. However, if you want to access it
in other ways, e.g. per FTP under your own credentials, you have to
grant it 444 or even 666 (== read-write by everyone - this does not mean
"by everyone on the web" though)
Code execution has in general nothing to do with permissions. Webserver
will only execute a file if explicitly instructed to execute files with
given extension. So, if the file extension is ".php" it will be
executed, if the extension is ".gif" it won't, even if it contains
chunks of php code.
That is, the protection from "remote execution" attacks of this kind is
quite simple: if you offer file uploads, always make sure file extension
matches its content and only allow extensions from your whitelist.
--
gosha bine
makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi
..oO(FFMG)
>Sanders Kaufman;83072 Wrote:
>Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.
More the reason why I should prevent the 'image' from executing.
Whether the webserver will "execute" a file primarily depends on the
file extension. A file myImage.gif.php doesn't even have to have any
execution bits set - if the server can read it, PHP can load and
interpret it.
>So what attributes should I set then?
Nothing special. The file just has to be readable for the webserver.
Just keep an eye on the file extension, especially if you allow users to
directly access their uploaded files: http://example.com/user/myImage.gif.php
Or use a script to deliver the files to the user, so the webserver won't
even try to handle the file it on its own.
Micha
On 25 Jul, 07:27, Sanders Kaufman <bu...@kaufman.netwrote:
FFMG wrote:
Hi,
My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?
I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.
What attributes would you suggest?
What is your security model?
I'd usually go with drwxrSxr-x for upload dirs (with a group including
webserver uid and web developer uids) and -rw-rw-r-- for files. But a
group excluding web server uid for non-uploaded content.
Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.
This only applies if the PHP parsing engine is invoked on the file.
This is usually determined by the file extension:
I limit the extension of files,
But its probably better practice to convert to a different img format
and back again using GD to be on the safe side.
C.
On Wed, 25 Jul 2007 08:27:55 +0200, Sanders Kaufman <bu***@kaufman.net>
wrote:
Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.
Only on lousy webserver setups.
--
Rik Wasmus
gosha bine wrote:
Code execution has in general nothing to do with permissions.
Unless CGI is available on the server, in which case the execute bit is
rather important.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 36 days, 17:43.]
Cryptography Challenge http://tobyinkster.co.uk/blog/2007/0...pto-challenge/
On 27.07.2007 16:05 Toby A Inkster wrote:
gosha bine wrote:
>Code execution has in general nothing to do with permissions.
Unless CGI is available on the server, in which case the execute bit is
rather important.
Agreed, good point. ;)
--
gosha bine
makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Martin Lucas-Smith |
last post by:
I wrote the function below as part of a larger class.
The fopen stage works, and, as according to the documentation at
www.php.net/fopen that succesfully creates a new file.
The fwrite stage...
|
by: Xerxes |
last post by:
Hi,
I want to open a file for debugging purposes and want to know how I can
access it (write to it) from across multiple php files. I want to be
able to write debugging information from within...
|
by: lkrubner |
last post by:
I want to give users the power to edit files from an easy interface, so
I create a form and a PHP script called "fileUpdate". It does a
reasonable about of error checking and prints out some...
|
by: Jon Slaughter |
last post by:
This has wasted about 4 hours of my time to narrow this stupid thing down
and I have no clue to why its screwing up. The problem is, I'm trying to
write a file and if I mess with the data array...
|
by: Mister Zimbu |
last post by:
I'm having problems with a program I wrote- when it comes time to output
a file, the call to fopen locks up and I have to break the program
manually. I've pinpointed the actual stopping point to...
|
by: Joseph S. |
last post by:
Hi all,
Consider this case:
I have a free php hosting account (a LAMP host) with an account name
(also the name of my directory) 'sample'.
Under 'sample', I have php scripts which can create...
|
by: Blue |
last post by:
Hi ,
Can any one please let me explain me the diffrences between "open"/
"fopen" or "read"/"fread" or "write/fwrite".
I know that "open" /"read" / "write" are system calls and "fopen"...
|
by: foekall |
last post by:
I used this script and test on my hosting.
Evertimes appear "change permission to 777 failed. ".
So, how to solve this error.
Please kindly check for me and teach me.
<?php
$MAX_SIZE =...
|
by: xiao |
last post by:
It always dumped when I tried to run it... But it compiles OK. What I
want to do is to do a test:
Read information from a .dat file and then write it to another file.
The original DAT file is...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
