Reputation: 8125
How to deny execution of any file on a specific apache directory?
I'm using apache2 and php. I built a form that lets the user to upload files to a specific directory. I already implemented some other security things, but I would also like to deny the execution of any file on that directory. They're meant to be only downloaded and not executed by users or scripts.
I've got the following code for htaccess, but it's a fake one, not sure of the syntax, nor if it's the best way of doing it:
<Location "/example/mydir/">
<Files .>
ForceType application/octet-stream
Header set Content-Disposition attachment
</Files>
</Location>
Could you please help me correct that code or point me to best practices?
Upvotes: 0
Views: 796
Answers (1)
Reputation: 48387
Providing file upload/download facilities is a huge can of worms. In addition to the possibility of attacking your server there's also questions about data smuggling. malware and intellectual property. But since you are specifically asking about the former...
Disabling PHP execution in this way only provides a single layer of prevention. if that layer fails for some reason then your security is gone. Also, this only prevents execution of the content if the webserver is pointed directly at the URL of the file - it doesn't provide any protection if someone can trick the existing php code into including the content.
A minimal approach would be to store the content outside of directories accessible by URLs (i.e. outside of the document root and any other mapped directories).
This does not prevent the inclusion vulnerability but eliminates the direct addressing vulnerability. All access to the content must then be mediated by a PHP script. But on the upside, its a lot easier to avoid OMGWTFs like:
ForceType application/octet-stream
Switching off PHP execution (php_flag engine off) is a better solution to disabling execution than changing the mime type. Forcing a mime type like this is always a bad idea.
An alternative/complementary approach, would be to encode the files thus preventing code inclusion vulnerabilities.
It's also a good idea to allocate your own filenames to the artefacts on your host filesystem.
Upvotes: 1
Related Questions
- Allow only specific file to run PHP via htaccess
- Apache - How to deny directory but allow one file in that directory
- Prevent access to files in a certain folder
- htaccess deny access to all php files except specific one
- Deny access to all PHP files in a directory using .htaccess
- Make php files under a certain directory unaccessible using htaccess
- restrict access on php file from all except one file
- Disable a file execution inside a folder .htaccess rule
- block all directorys but one file?
- Deny access to a file