9

Let's say i have an image uploader script, i want to prevent the upload directory from executing Php or even html by only showing it as plain text, i've seen this trick in many websites but i don't know how they do it.

Briefly, if i upload evil.php to that directory, and i try to access it i will only see a plain text source , No html or php is executed. ( but i still want the images to appear normally ofcourse)

I know i can do like that by header("content-type:text/plain"); but that's will not be helpful, because what i want, is to set the content-type:text/plain automatically by the server for every thing outputed from the upload directory except images.

Note: i'm running php 5.3.2/Cent OS and the latest cPanel.

Thanks

Sripathi Krishnan
  • 30,948
  • 4
  • 76
  • 83
Emily
  • 905
  • 3
  • 10
  • 13
  • Is it safe to assume that you're using Apache as your HTTP server? Because all of the solutions so far assume that – Gareth Apr 11 '10 at 22:27
  • javascript will only execute if called from an HTML file, as far as I know. Try clicking on a js file link from your browser, and it pulls up plaintext. Some browsers may try to download the file, so it's best to set the type to text/plain to account for that, but there's no real risk of someone uploading a js by itself and having it hurt another user. (Again, good call to neutralize anyway, but since you mentioned js specifically...) – Anthony Apr 11 '10 at 22:31
  • @Gareth, I would be pretty shocked if they were running something else from CentOS. Is there any other mainstream HTTP server for linux? – Anthony Apr 11 '10 at 22:32
  • If you are only going to allow pictures to be uploaded it would be best to make sure in the script that it does not allow executable files to be uploaded. Of course it's always better with added security incase someone somehow found an exploit in your script. I also see that people assume that you run Apache as webserver, it might be a good thing to specify what webserver you are running. This might not be directly php related but more webserver related. – Hultner Apr 11 '10 at 22:35
  • @Anthony: lighttpd maybe isn't as big but it's being used and is an alternative. – Hultner Apr 11 '10 at 22:39
  • @Anthony - e.g. Nginx (http://en.wikipedia.org/wiki/Nginx) is growing in popularity, but yes I appreciate that it's overwhelmingly likely that it's an Apache server – Gareth Apr 11 '10 at 22:39

4 Answers4

4

At the very least, you'll want to put the following in your .htaccess file for the upload directory:

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

The problem with an .htaccess file is if your upload does not block the upload, your .htaccess can be overwritten. An alternative solution is using an Apache directive (if you are using Apache) shown here, Disable PHP in directory (including all sub-directories) with .htaccess

Community
  • 1
  • 1
sblom
  • 26,911
  • 4
  • 71
  • 95
3

Put a .htaccess in the upload directory.

AddType 'text/plain' .php .html

or

ForceType 'text/plain'
#...
Ming-Tang
  • 17,410
  • 8
  • 38
  • 76
3

Do a Google search for "disable script execution for directory" to turn up a number of options. This one is my favorite:

AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi .js

The only downside is that you have to explicitly name the extensions not to run, but it may be possible (just a hunch) to use some sort of wild card so that all file extensions are considered plain text, and then manually add the Mime Type for your standard image extensions.

Anthony
  • 36,459
  • 25
  • 97
  • 163
0

Since you're talking about an image uploader, you don't want to display images as plain/text. How would you separate images from malicious files? During that task, just block saving the particular file.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555