PHP file manager upload / block PHP files

Question

I have searched various "PHP upload security" posts, especially in regards to blocking PHP files from being uploaded, but there does not seem to be a definite way to prevent disguised PHP files from getting uploaded from a "filemanager"-like application with file rename capabilities. Please correct me if I am wrong.

Of course one can do checks on both extension and mime type on upload. However, user could easily upload "index.html" (containing some PHP) and then rename it to "index.php" from the filemanager, so this doesn't seem to offer much security. One could of course prevent renaming files to "*.php", but that seems fragile at best.

The ultimate solution of course is to disable PHP execution within directories where files are stored. However, the filemanager app will be distributed, and I can only recommend this to server owners, not enforce it.

Any feedback appreciated. Just for reference, I am referring to a distributed PHP filemanager application, so I have no control of the server environment (apart from making recommendations). The filemanager allows renaming files, and users would generally want to upload most file types (excluding php).

Answer 1

the uploaded files should be only uploaded files - assets or static files -. you should not run it using PHP, even if you needs to allow your user to upload a file ( let's say his own css for his custom profile ) this file should only be loaded as a static file.

in nginx for example:

server {
    // ....

    location ~ \.php$ {
        try_files $uri =404;
        // ...
    }

    location ~* \.(js|css|jpg|jpeg|gif|png|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|woff|woff2|svg)$ {
        // rest of configurations;
    }

    // ....
}