0

I'm making a web app that allows users to compose an image in canvas and then saving that to the uploads folder of my wordpress install. Right now the process of the app is as follows.

  1. User inputs user data (hence "anonymous", each upload through my app is tagged with some user data, albeit self submitted)
  2. User composes image on canvas
  3. Inputs verified & sanitized via js
  4. If clean, contents sent via ajax post
  5. php files handle creation of draft post & uploading of image via the media_handle_upload command

EDIT: I've set the permissions for the upload to 775 (I think that's what apokryfos was suggesting, I'm really new to managing servers) So I only have one question now.

  1. Is it possible to further secure my uploads folder? I already have a .htaccess file restricting the execution of php.

I wouldn't mind restricting my folder to just .png files which is the only thing I'm uploading to it, but I'm worried any .htaccess solution won't matter because it can just get overwritten.

xiskus
  • 111
  • 3
  • Having to allow write permissions to everyone makes no sense. You only need to allow the user who will do the writing to the directory. In most cases that's the user `www-data` – apokryfos Feb 28 '17 at 09:08
  • Okay, I'll try putting things to that setting and see what happens. – xiskus Feb 28 '17 at 09:14

1 Answers1

0

As long as you make sure the uploaded file is actually an image, there is no harm in changing your sub-directory's permissions. I think there's no way around this.

Please take a look here, where they've tried to fully secure PHP image uploading: Full Secure Image Upload Script

Community
  • 1
  • 1
WesselV
  • 336
  • 2
  • 10