我正在开展一项任务,使PHP文件上传安全,我的客户希望遵循http://www.acunetix.com/websitesecurity/upload-forms-threat.htm网站上的指南提及
我们能够遵循本网站上提到的所有指南,接受htaccess规则.他们提到要做以下事情.
Define a .htaccess file that will only allow access to files with allowed extensions.
Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory.
A typical .htaccess which allows only gif, jpg, jpeg and png files should include the following (adapt it for your own need). This will also prevent double extension attacks.
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>
If possible, upload the files in a directory outside the server root.
Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
Create a list of accepted mime-types (map extensions from these mime types).
Generate a random file name and add the prevIoUsly generated extension.
Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.
这样就不会执行除gif,jpg和png之外的其他文件了.但是他们不希望htaccess位于我们上传图像的文件夹中,因为该文件夹具有权限并且htaccess可以被覆盖.所以他们告诉将文件保持在根级别.
我想知道,如果我们将文件保留在根级别并且只允许图像类型执行,那么我的PHP脚本将如何执行?当我在根级别添加此htaccess时,当然我的PHP脚本不起作用并返回权限错误.努力工作以解决这个问题.
你能帮助我做这个工作或任何其他有效的方法来进行这种安全检查.我们不想在系统上留下安全漏洞.
任何帮助将不胜感激.
谢谢你们.
解决方法:
<IfModule mod_PHP5.c>
PHP_flag engine off
</IfModule>
或者,如果您无法在.htaccess文件中设置它,那么您可以在httpd.conf或vhost conf文件中执行此操作:
<VirtualHost *:80>
# ...
<Directory /path/to/webroot/path/to/upload/folder>
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>
<IfModule mod_PHP5.c>
PHP_flag engine off
</IfModule>
</Directory>
</VirtualHost>
