How to block uploaded files?

Question

Based on this two questions:

I wrote an easy password protected file uploader.

So I have password verifier named password.php

    <body>
        <?php
            $pass = $_POST['pass'];
            {?>
                <form method="POST" action="password.php">
                    Password <input type="password" name="pass"></input>
                    <input type="submit" name="submit" value="Ok"></input>
                </form>
            <?}
                if($pass == "admin")
                    {
                    include("../uploader.html");
                    }
        ?>
    </body>

As you can tell from the code. If pass is ok it includes uploader.html from out of public_html folder.

    <body>
        <form enctype="multipart/form-data" action="upload.php" method="POST">
            <input name="thefile" type="file" /><br>
            <input type="submit" value="Send" />
        </form>
    </body>

In the end we use upload.php to send "thefile" to folder named files.

    <body>
        <?php
            $thefile_tmp = $_FILES['thefile']['tmp_name'];
            $thefile_name = $_FILES['thefile']['name'];
            if(is_uploaded_file($thefile_tmp)) 
                {
                move_uploaded_file($thefile_tmp, "files/$thefile_name");
                }
        ?>
    </body>

I changed files folder's chmod to 777 and everything works fine.

I gave the password to bunch of students and I asked them to send me reports. A student now can anonymously upload a malicious file (lets say loop.php) and open it in a browser .../files/loop.php.

So I want to protect my site from such stories. I tried to set files folder's chmod to 773 or 776. On 776 my code lost ability to send files. On 773 you can still open things in files folder.

Question/Request Is there an easy way to block uploaded files from opening?

Good easy solution which I used

Based on @Fred -ii- suggestion I added to upload.php an extension verifier. Now it look like this

<body>
    <?php
        $thefile_tmp = $_FILES['thefile']['tmp_name'];
        $thefile_name = $_FILES['thefile']['name'];
        $thefile_ext = pathinfo($thefile_name, PATHINFO_EXTENSION);
        if(is_uploaded_file($thefile_tmp))
            {
            if( $thefile_ext == 'zip')
                {
                move_uploaded_file($thefile_tmp, "files/$thefile_name");
                }
            }
    ?>
</body>

Alternative solution

As @alexander.polomodov answeres. I just put .htaccess file in files folder and still files can be send, but no one can access it. This method does not fit me, cause I wanted students to be able to peep at each others reports.

You could remove the .php extension from the file when uploaded. so when the server gets an request on the recent uploaded file it does not execute the file. — Fin, Mar 12 '16 at 22:11
*"I asked for .zip files"* - Yeah, here in comments. Not in your question. What stops you from adding to the array from the possible dupe? Did you not go through all of the answers in there? — Funk Forty Niner, Mar 12 '16 at 22:12
you deleted your comment about *"I asked for .zip files"* and now you're no longer responding. see the guy's answer below then and one of those links could be one of the dupes then. — Funk Forty Niner, Mar 12 '16 at 22:19
@Fred-ii- Sorry. i do not catch up. Now I am trying to check whether I have Apache or Nginx on my server. — Fallen Apart, Mar 12 '16 at 22:21
@Fred-ii- I used solution you put in the link and it works fine. PS. Sorry for deleting previous comment. — Fallen Apart, Mar 12 '16 at 22:56
great glad to hear it. Since you used it, it should be closed as a duplicate. *Cheers* — Funk Forty Niner, Mar 12 '16 at 22:57

score 1 · Answer 1 · edited May 23 '17 at 11:46

1

What webserver do you use?

1) If you use Apache follow this answer

Add file files/.htaccess with string:

Deny from all

2) If you use Nginx follow this answer

Add to your nginx config:

location /files {
    deny all;
    return 404;
}

edited May 23 '17 at 11:46

Community

1
1

answered Mar 12 '16 at 22:15

alexander.polomodov

5,396
14
39
46

You can try first variant, it's probably your solution, because apache is common webserver for hostings. – alexander.polomodov Mar 12 '16 at 22:27
I tried to add .htaccess, but file did not appear on server – Fallen Apart Mar 12 '16 at 22:28
How you usually upload file on your webser? – alexander.polomodov Mar 12 '16 at 22:30
By WinSCP, but to terminal I log by mRemoteNG. – Fallen Apart Mar 12 '16 at 22:30
you add your .htacces file into files directory and can't see it in WinSCP or on websers? I question you because it's normal that you can't see .htaccess files on websers (these files for servers not for people:) ) – alexander.polomodov Mar 12 '16 at 22:38
I do not see in in WinSCP. EDIT. I see. Now I cant acess it by browser. So it works. But how to change it back? – Fallen Apart Mar 12 '16 at 22:39
just remove `.htaccess` file or remove string `Deny from all` from it – alexander.polomodov Mar 12 '16 at 22:47
But .htaccess is invisible in WinSCP. I deleted folder and created new one. – Fallen Apart Mar 12 '16 at 22:48
I can't help with WinSCP because I prefer to use linux (e.g. Debian, Ubuntu, Centos) or FreeBSD fork with name MacOs:) – alexander.polomodov Mar 12 '16 at 22:57
Ok. I checked and your method works just fine. .htaccess file do the job. – Fallen Apart Mar 12 '16 at 23:39

How to block uploaded files?

1 Answers1