0

I am creating an website that allows users to upload any type of file and download it later.

So I have a secret folder and all the files are saved there and returned back via php script.

I want to disable all the script execution .So I added below code to .htaccess in secret folder.

<Files *>
    SetHandler default-handler
</Files>

Its working perfect.But now how to prevent users to upload .haccess file..I can just try by blocking via filename matching with .htaccess in php script.But is there any other workaround for hackers to upload the .htaccess file ?

Vishnu
  • 2,372
  • 6
  • 36
  • 58
  • 1
    You could probably add a `AllowOverride None` to an htaccess file the parent directory (or to the conf, targeting the child directory) which will prevent htaccess files from being parsed (not preventing upload, they would just be ignored). Or you could just create a .htaccess file there and change permissions so it can't be overwritten by the web server. – Jonathan Kuhn May 20 '15 at 17:08
  • `www-data` user (the one that places the files in the directory) should be different from `whatever` (one who created the .htaccess file). – Axalix May 20 '15 at 17:09
  • @JonathanKuhn : I tried like you told with http://stackoverflow.com/a/18948152/2392904 .. but Its not serving files like jpg files too... – Vishnu May 20 '15 at 17:11
  • @Axalix : I have only one user... – Vishnu May 20 '15 at 17:12
  • 1
    `AllowOverride` just tells apache to not allow the `htaccess` files to overwrite the current configuration. Apache then ignores `htaccess` files When you say "not serving files" what do you mean? Is it prompting for a download for everything? Is it throwing an error (maybe even check the error logs)? Is it displaying the binary image data as text? In reality, these files shouldn't be accessible to apache. They should be outside of the webroot and you should use php to access the files and send the correct headers by file type. Then htaccess/php/any file wouldn't be an issue. – Jonathan Kuhn May 20 '15 at 17:18
  • @JonathanKuhn : its showing not found error...and about storing files outside webroot..yea thats what I was thinking...If i Store all files outside webroot...There is no security issues ? – Vishnu May 20 '15 at 17:29
  • 1
    Correct, apache won't be trying to parse any files as well as loading scripts. You still would want to setup correct permissions such as `400` (read to owner only to prevent anyone else from accessing the files) and then use a php script to read the file. You could even name the files by something like a hash and then store the hash filename with stats (type, handler) and real filename in a database somewhere. PHP can handle sending headers to view specific file types (images) or even forcing a download prompt. mod_rewrite could disguise the files being outside the webroot as well. – Jonathan Kuhn May 20 '15 at 17:33
  • Yea i am renaming filenames with hash.and serving them with seperate php file..thank you ! you are really helpful..Changing the upload folder permission to 400 is enough or I should change permission of each files while storing ? – Vishnu May 20 '15 at 17:38

0 Answers0