1

I'm working on a little project with a few friends, and have set up a pretty simple PHP upload script that only certain users can access. I am not worried about any type of attacks against the server, since this is for fun, but I do have a question.

I've made a subdomain (static.foo.bar) where the uploaded files are moved to. This subdomain had mod_php turned off, to prevent malicious upload and execution of php scripts. The script also checks for file extensions and mime content types, but I assume those can easily be bypassed/spoofed.

However, a user could easily upload an .html file and have it redirect somewhere else. Likewise, they could upload an image file instead and have it display an image in the browser, instead of being asked to download the image.

I assume this is the behavior of the browser, but I've also noticed that when uploading a file to sendspace (or any other service), even if the file is .html (and valid html) it will ask the user to download it instead of displaying it on the website.

I am running Apache on CentOS.

How do I accomplish this?

Tyrone Whiteral
  • 33
  • 3
  • 1
    You can do that by setting headers to force download and readfile to read the file with php. Here an example: http://stackoverflow.com/questions/2222955/idiot-proof-cross-browser-force-download-in-php – Green Black Aug 16 '12 at 05:38

1 Answers1

1

ForceType is probably what you're looking for.

# In your .htaccess file
<Location /uploads_directory>
    ForceType application/octet-stream
</Location>

You want to set all files' mime type to application/octet-stream so the browser will download them instead of trying to show the content.

fardjad
  • 20,031
  • 6
  • 53
  • 68