In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)
why not just rename the file extensions upon upload to .phps
?
To clarify PHPS is the source code view of a PHP file:
To clarify:
file.php
=> file.phps
quick google example:
Keep them all under the same folder and set this line in the directory's .htaccess
file:
php_flag engine off
That will also take care of other exploits such as embedding PHP code in .gif files.
You want the Apache SetHandler directive: http://httpd.apache.org/docs/current/mod/core.html#sethandler
This lets you force all files in a directory to be processed by a certain handler. So something along the lines of:
<Location /web/uploads>
SetHandler None
</Location>
should do what you want.