Re: File Upload Security and chmod

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tedd,

Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out!  I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection.  Is it faster to establish an ftp
connection within PHP and then use the ftp series of functions to accomplish
all of the directory creation and permissions changes?  If so, then I will
probably change my code to follow yours.

Andy


On 9/25/06, tedd <tedd@xxxxxxxxxxxx> wrote:

At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
>Hi Tedd,
>
>Yes, when I browse to www.myDomain.com I get the index.html file, and so
I
>have been leaving the .public_html/ directory alone since it is not my
>root.  I'm curious, what you described is exactly what I'm trying to do -
>what permissions do you set the parent folder at when you are finished
>uploading/saving/downloading/etc.?  I have my "uploaded_images/"
>directory set at chmod 0100 and I can still browse to an uploaded image
from
>my file upload page...  Thanks for your response,


Andy:

I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.

Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.

As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.

So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.

Now, not all php ftp_<commands> are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.

You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:

An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.

Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory,
but I would just leave it alone.

---

// how to call the function

<?php

$ftp_path = "public_html/rw/";  // note the ftp path
$theDir = "tmp";
$theFile ="text.txt";
FtpPerms($ftp_path, $theDir, $theFile);
?>


// the function

<?php
// create directory and change permissions via FTP connection

function FtpPerms($path, $theDir, $theFile)
{

$server='ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection

$user = "you";
$pass = "yourpassword";
$result = ftp_login($connection, $user, $pass); // login to ftp server

if ((!$connection) || (!$result))
{
echo("No connection<br/>");
return false;
exit();
}
else
{
echo("Made connection<br/>");
ftp_chdir($connection, $path); // go to destination dir

echo("Change permission<br/>");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note the
space after 0775 )
ftp_site($connection, $str);
echo("$str<br/>");

$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";

echo("<hr><br/>Writing file <br/><br/>");

$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);

echo("Change permission<br/>");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str<br/>");


echo("Close connection<br/>");
ftp_close($connection); // close connection
}

}
?>
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux