Hi,
I am relatively new to php and am trying to set up a file upload
process for my website. I have read through the php security
documentation and a number of the security-related questions on these
lists and am attempting to implement as many of the measures as
possible.
One of the suggestions I have read is to have the uploaded files saved
somewhere outside of your root directory. Unfortunately I cannot do
that as my root directory is simply www.myDomain.com and not
".public_html/" and I am on a shared server where my root cannot be
changed (I have already asked). So, I am trying to keep the
permissions on my "saved_files" folder as tight as possible except
when the actual upload occurs. I this as follows:
1) The actual file upload comes through Flash8, and when the user
uploads a file it is sent to
www.domain.com/flash8directory/upload.php, which is in the same
directory as the Flash8 upload application.
2) upload.php first chmod 0740 the "saved_files" folder (which is
located at www.domain.com/flash8directory/saved_files/). Then it does
security checks to make sure an appropriate image has been uploaded,
and if everything looks good it moves the uploaded file to
"saved_files".
3) The Flash8 upload application is notified of the completion of the
upload and downloads the new image it its viewer.
4) Once the download is complete and Flash8 no longer needs to work
with the file, the Flash8 application notifies a separate php script
by sending the variable "complete=1" to lockdown.php (located at
www.domain.com/flash8directory/lockdown.php), which runs the following
simple script:
<?php
$success = 0;
$complete = $_POST['complete'];
if ($complete==1) {
if(chmod("./saved_files", 0100)) {
success = yes;
echo "success=yes";
}
}
?>
This script works and "saved_files" is set to chmod 0100, but here is
the problem. If I then navigate directly to the url of the uploaded
file by entering its path in my
browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
the uploaded file appears in my browser! However, if I then refresh
the browser I get the desired error message saying I do not have
permission to access that file. Also, other browser windows never
have access to view the uploaded file, only the browser from which the
file was uploaded.
Any thoughts on why I can view the uploaded file even though it has
been set to chmod 0100? I'd really rather not have those files
accessible to anyone, as an extra security layer.
Thank you for your help!
Andy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
