How to safely prevent uploaded file from being run via PHP on any server?

后端未结

关注

 10  2147

独厮守ぢ 2021-02-15 13:13

I noticed that it\'s possible to run a file via PHP even if its extension wasn\'t .php, for example file test.xyz.php.whatever.zyx can be still run wit

10条回答

春和景丽 (楼主)

2021-02-15 14:11
I could reproduce your issue quite easily on our server. There is a way to fix this, you need to edit /etc/mime.types and comment out lines
```
#application/x-httpd-php                                phtml pht php
#application/x-httpd-php-source                 phps
#application/x-httpd-php3                       php3
#application/x-httpd-php3-preprocessed          php3p
#application/x-httpd-php4                       php4
#application/x-httpd-php5                       php5
```
These lines cause anything with .php in name to be processed. Once you comment out the entries in mime.types, mod_php config in /etc/apache2/mods-enabled/php5.conf has this entry which correctly only processes files ENDING with .php
```
    SetHandler application/x-httpd-php
```
What is REALLY SCARY is that this is a default config (Ubuntu 10.04 in our case).

EDIT

On Windows the mime.types file should be in apache_home/conf/mime.types
0 讨论(0)

查看其它10个回答
发布评论:

提交评论
- 加载中...