Re: [PHP] File Upload Security and chmod
- From: wearhdphp@xxxxxxxxx ("Andy Hultgren")
- Date: Fri, 22 Sep 2006 19:19:14 -0600
For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
".public_html" it gets created and then disappears), but I can see my
file structure from my host's website and so I know that when I ftp in
to myDomain.com this is what is "there":
index.htm
page1.htm
page2.htm
..public_html/
images/
etc. etc.
Currently nothing is stored in my .public_html directory since it is
not my root (and my website loads just fine when browsed to).
I don't ftp in from DreamWeaver and it isn't an issue of going
straight to public_html just to skip the cd step. public_html just
isn't set up as my root directory and I have no directories accessable
that are higher than my root.
So, since I have no access to directories outside of my root, do you
really think I should change that before allowing file uploads?
(either by changing servers or just bugging my server adminstrator
until he changes it). I currently check extension type and then image
type using get_image_size(); and also files with image extensions are
not executable on the server. However, from what I've read I
understand that those steps are the minimum in terms of file upload
security.
Also, I'd be curious still to hear why I can browse to a file in a
directory that has been set with chmod 0100. I really didn't expect
that.
Thanks again very much for your thoughts,
Andy
On 9/22/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
.
I may have hit "send" too soon...
Like, when you do FTP, do you see:
index.htm
page2.htm
page3.htm
right away?
*OR*, do you see:
public_html
And then you do "cd public_html" and THEN you see the files?
If you don't do "cd public_html" then I really don't think accepting
file uploads is a Good Idea, unless you have access to /tmp or
something to put the files in...
If you do "cd public_html" then you actually HAVE space outside your
webtree. Just do "mkdir uploads" and "chmod 777 uploads" *BEFORE* you
do "cd public_html" and you'll have an uploads dir outside the webtree
where you can put stuff.
NOTE:
Some fancy FTP tools like DreamWeaver and whatnot will convince you to
put "public_html" into some input box somewhere, to give you the
convenience of not needing to "cd public_html" -- which then means you
never *SEE* that you have space outside your webtree... Stop doing
that. An extra click or whatever to get into public_html is not that
big of a deal.
On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote:
> So pretty much there's nothing to be done about it? If I can get the
> chmod thing to make it so that you can't surf to your uploaded image
> afterwards and view it, I'd be happy with that solution. I'd like to
> stick with this host if I could.
>
> On 9/22/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
>> On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
>> > that as my root directory is simply www.myDomain.com and not
>> > ".public_html/" and I am on a shared server where my root cannot
>> be
>>
>> I got two words for you:
>>
>> Change Hosts
>>
>> --
>> Like Music?
>> http://l-i-e.com/artists.htm
>>
>>
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Like Music?
http://l-i-e.com/artists.htm
- Follow-Ups:
- Re: [PHP] File Upload Security and chmod
- From: tedd
- Re: [PHP] File Upload Security and chmod
- References:
- File Upload Security and chmod
- From: "Andy Hultgren"
- Re: [PHP] File Upload Security and chmod
- From: "Richard Lynch"
- Re: [PHP] File Upload Security and chmod
- From: "Andy Hultgren"
- Re: [PHP] File Upload Security and chmod
- From: "Richard Lynch"
- File Upload Security and chmod
- Prev by Date: Re: [PHP] Help converting C to PHP
- Next by Date: Re: [PHP] Yahoo! HackDay
- Previous by thread: Re: [PHP] File Upload Security and chmod
- Next by thread: Re: [PHP] File Upload Security and chmod
- Index(es):
Relevant Pages
|
