How to safely prevent uploaded file from being run via PHP on any server?

后端 未结 10 2123
独厮守ぢ
独厮守ぢ 2021-02-15 13:13

I noticed that it\'s possible to run a file via PHP even if its extension wasn\'t .php, for example file test.xyz.php.whatever.zyx can be still run wit

10条回答
  •  予麋鹿
    予麋鹿 (楼主)
    2021-02-15 13:58

    First of all you need to understand what happens here:

    test.xyz.php.whatever.zyx
    

    Such a file on a webserver on it's own would do nothing. Only added configuration does tell Apache to execute PHP on that file.

    So if you remove that added configuration, Apache won't care to find .php in there - be it at the very end or part of a stacked file-extension.

    Check which handler you have set for php in your server configuration. Remove it for the upload directory. This then won't resolve any other configuration issues you might have with uploaded files, however PHP files aren't executed by PHP any longer then - which is what you want if I understood you right.

    If you've got a problem to find out what this is about, you need to post your PHP configuration in your httpd.conf file and associated Apache HTTPD configuration files for your system.

    The directive somebody told you for .htaccess:

    php_flag engine off
    

    does only work if you're running PHP as an apache SAPI module.

提交回复
热议问题