Re: What is the best chmod for a fopen/fwrite?

On 25.07.2007 07:47 FFMG wrote:
Hi,

My users can upload images in a folder on my system.
What minimum attribute should I give the created, (@fopen($new_file,
'wb');), files and folder?

I limit the extension of files, (images), but I want to prevent them
from executing any code on the server.

What attributes would you suggest?

FFMG


A file must be readable by the webserver, so if php runs as web server user, the minimal chmod would be 400. However, if you want to access it in other ways, e.g. per FTP under your own credentials, you have to grant it 444 or even 666 (== read-write by everyone - this does not mean "by everyone on the web" though)

Code execution has in general nothing to do with permissions. Webserver will only execute a file if explicitly instructed to execute files with given extension. So, if the file extension is ".php" it will be executed, if the extension is ".gif" it won't, even if it contains chunks of php code.

That is, the protection from "remote execution" attacks of this kind is quite simple: if you offer file uploads, always make sure file extension matches its content and only allow extensions from your whitelist.


--
gosha bine

makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi
.

Loading