[UPHPU] secure(ish) php writable directory

Jonathan Duncan jonathan at bluesunhosting.com
Fri Oct 5 10:41:29 MDT 2007


On 03 Oct 2007, at 12:02, phpninja wrote:

> Have a look at this security paper, it covers most everything you need
> to do a secure file upload with php.
>
> http://www.scanit.be/uploads/php-file-upload.pdf
>
> -phpninja
>
> On 10/2/07, Orson Jones <orson.uphpu at bookstore.usu.edu> wrote:
>> I am building the ability for authenticated users to create php files
>> and upload graphics. These would then be served by the server.
>>
>> More details. The php files are automagicly generated by form input
>> (that doesn't allow php code) This is heavily filtered/escaped. I am
>> fairly confident in this part (security of code generated.) The php
>> files will be served by include($file), then calling functions  
>> defined
>> within the file. The php files are also designed so that if they  
>> were to
>> be served directly, they would not output anything.
>>
>> I haven't started on the graphics upload yet, but it would be  
>> served the
>> same way. (through my php program, not directly by apache)
>>
>> So, there is no reason apache needs to see the uploaded/created  
>> files,
>> but php does need to see them. (ok, they are usually the same  
>> user, but
>> it's the idea I'm going for.) This is on a standard cheap linux  
>> hosting
>> server for the time being.
>>
>> I am wondering what setup you recommend for doing this type of thing.
>> Where do you save the files? How do you configure permissions? Can/ 
>> How
>> do you validate images? Etc.
>>

Thanks, that was a good article.




More information about the UPHPU mailing list