[UPHPU] secure(ish) php writable directory
jonathan at bluesunhosting.com
Fri Oct 5 10:41:29 MDT 2007
On 03 Oct 2007, at 12:02, phpninja wrote:
> Have a look at this security paper, it covers most everything you need
> to do a secure file upload with php.
> On 10/2/07, Orson Jones <orson.uphpu at bookstore.usu.edu> wrote:
>> I am building the ability for authenticated users to create php files
>> and upload graphics. These would then be served by the server.
>> More details. The php files are automagicly generated by form input
>> (that doesn't allow php code) This is heavily filtered/escaped. I am
>> fairly confident in this part (security of code generated.) The php
>> files will be served by include($file), then calling functions
>> within the file. The php files are also designed so that if they
>> were to
>> be served directly, they would not output anything.
>> I haven't started on the graphics upload yet, but it would be
>> served the
>> same way. (through my php program, not directly by apache)
>> So, there is no reason apache needs to see the uploaded/created
>> but php does need to see them. (ok, they are usually the same
>> user, but
>> it's the idea I'm going for.) This is on a standard cheap linux
>> server for the time being.
>> I am wondering what setup you recommend for doing this type of thing.
>> Where do you save the files? How do you configure permissions? Can/
>> do you validate images? Etc.
Thanks, that was a good article.
More information about the UPHPU