--- Richard Lynch <ceo@xxxxxxxxx> wrote: > I personally think that if you can't upload your images outside > your web tree then, in fact, your server admin is at fault for not > providing you a directory structure that allows that. Good > security requires cooperation from both admin and Programmer. I agree with both of these points. In fact, if the temporary upload directory is within document root, there exists a security vulnerability, regardles of the code. I can upload a file to any PHP script, and PHP provides the script with the $_FILES superglobal array, including the temporary name and location of the file that I uploaded. You don't have to actually use $_FILES for this to happen. > Also, you *SHOULD* force the file to be saved on your server > with the correct extension. If a user can upload a JPEG with > .php on the end, or worse, with php in the middle of the > filename, and then your server puts that file in the web tree or > otherwise allows it to be executed, *YOU* (and your server > admin) screwed up your security, not PHP. Trusting the name provided by the client is certainly a bad practice, but I wouldn't consider "php" in the middle of a filename to be worse than extension manipulation. I'm not sure what gave you that idea, but it's just not true. > Under *NO* circumstances should a file uploaded by an > untrusted user be put into your web tree. You should *KEEP* it > outside the web tree, and use PHP to http://php.net/readfile it > when it needs to be displayed. Since you are using PHP's > readfile function to *READ* the file, Apache won't have any > chance to get fooled into thinking it's supposed to be a PHP file > and be parsed by PHP. This is misleading. It is fine to put uploaded files within document root, and in fact many applications may require this. Using readfile() is not realistic except for small sites - the performance penalty alone makes this a poor approach, since it provides very little value. That being said, it's true that you should not trust the name provided by the client (or anything provided by the client), but this is much different than blind paranoia. If this perspective were applied to HTML forms, no one could use them. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
