0

I have searched various "PHP upload security" posts, especially in regards to blocking PHP files from being uploaded, but there does not seem to be a definite way to prevent disguised PHP files from getting uploaded from a "filemanager"-like application with file rename capabilities. Please correct me if I am wrong.

Of course one can do checks on both extension and mime type on upload. However, user could easily upload "index.html" (containing some PHP) and then rename it to "index.php" from the filemanager, so this doesn't seem to offer much security. One could of course prevent renaming files to "*.php", but that seems fragile at best.

The ultimate solution of course is to disable PHP execution within directories where files are stored. However, the filemanager app will be distributed, and I can only recommend this to server owners, not enforce it.

Any feedback appreciated. Just for reference, I am referring to a distributed PHP filemanager application, so I have no control of the server environment (apart from making recommendations). The filemanager allows renaming files, and users would generally want to upload most file types (excluding php).

Improve this question
2
  • the uploaded files should be only uploaded files. you should not run it using PHP, even if you needs to allow your user to upload a file ( let's say his own css for his profile ) this file should only be loaded as a static file. Commented Oct 4, 2021 at 9:53
  • use a virtual filesystem, i.e /uploads/file.php doesn't actually point to ./uploads then you don't serve the file through the webserver but instead load its contents then based upon detecting its mimetype and storing that alongside the filename and actual location, you set it to the correct Content-Type when serving back.. this would scale if you used S3 or some other place you store files other then the filesystem Commented Oct 4, 2021 at 10:01

1 Answer 1

Reset to default
2

the uploaded files should be only uploaded files - assets or static files -. you should not run it using PHP, even if you needs to allow your user to upload a file ( let's say his own css for his custom profile ) this file should only be loaded as a static file.

in nginx for example:


server {
    // ....

    location ~ \.php$ {
        try_files $uri =404;
        // ...
    }

    location ~* \.(js|css|jpg|jpeg|gif|png|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|woff|woff2|svg)$ {
        // rest of configurations;
    }

    // ....
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It's a useful option thank you, although I specifically stated in my post that I have no control of the servers where the filemanager app would be distributed, so it doesn't answer the question specifically.
there are no luck to do this in the app layer, the only way is to scan it to check if contains any php code snippet

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.