Re: File Upload Security and chmod

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I always use the ftp functions of php to upload files. I think it´s more 
safe than move_uploaded_file function.


""Andy Hultgren"" <wearhdphp@xxxxxxxxx> escreveu na mensagem 
news:3d9c688e0609221358j55d1d49fg9e29969b5028023f@xxxxxxxxxxxxxxxxx
> Hi,
> I am relatively new to php and am trying to set up a file upload
> process for my website.  I have read through the php security
> documentation and a number of the security-related questions on these
> lists and am attempting to implement as many of the measures as
> possible.
> One of the suggestions I have read is to have the uploaded files saved
> somewhere outside of your root directory.  Unfortunately I cannot do
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be
> changed (I have already asked).  So, I am trying to keep the
> permissions on my "saved_files" folder as tight as possible except
> when the actual upload occurs.  I this as follows:
>
> 1) The actual file upload comes through Flash8, and when the user
> uploads a file it is sent to
> www.domain.com/flash8directory/upload.php, which is in the same
> directory as the Flash8 upload application.
> 2) upload.php first chmod 0740 the "saved_files" folder (which is
> located at www.domain.com/flash8directory/saved_files/).  Then it does
> security checks to make sure an appropriate image has been uploaded,
> and if everything looks good it moves the uploaded file to
> "saved_files".
> 3) The Flash8 upload application is notified of the completion of the
> upload and downloads the new image it its viewer.
> 4) Once the download is complete and Flash8 no longer needs to work
> with the file, the Flash8 application notifies a separate php script
> by sending the variable "complete=1" to lockdown.php (located at
> www.domain.com/flash8directory/lockdown.php), which runs the following
> simple script:
>
> <?php
>
> $success = 0;
> $complete = $_POST['complete'];
>
> if ($complete==1) {
> if(chmod("./saved_files", 0100)) {
>                         success = yes;
> echo "success=yes";
> }
> }
> ?>
>
> This script works and "saved_files" is set to chmod 0100, but here is
> the problem.  If I then navigate directly to the url of the uploaded
> file by entering its path in my
> browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
> the uploaded file appears in my browser!  However, if I then refresh
> the browser I get the desired error message saying I do not have
> permission to access that file.  Also, other browser windows never
> have access to view the uploaded file, only the browser from which the
> file was uploaded.
>
> Any thoughts on why I can view the uploaded file even though it has
> been set to chmod 0100?  I'd really rather not have those files
> accessible to anyone, as an extra security layer.
>
> Thank you for your help!
>
> Andy 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux