2

In my Laravel application, I am using Laravel File Manager to enable users to upload profile images to their profile.

These images are uploaded to /project/public/assets/uploads/images/{user}/

In a test I carried out, in which I made a POST request to the given route, I was able to upload and execute PHP script in these directories

My first thought was to change the contents of the upload folder to use stricter permissions, so I changed every file in the image folder to use the following Unix file permissions: 0644. This should in principle deny public executable action.

I tried the test again, I could still execute the script.

Failing to bar potentially dangerous uploads, is there a way to disable PHP in a given directory?

As others have suggested, it is better to secure the folder.

To achieve a level of security I created a htaccess file in the root of the public uploads folder.

It looks like this:

# Disable PHP in public uploads folder
<IfModule mod_mime.c>
    RemoveHandler .php .phtml .php3 .php4 .php5
    RemoveType .php .phtml .php3 .php4 .php5
</IfModule>

<IfModule mod_php7.c>
    php_flag engine off
</IfModule>
Jesse Luke Orange
  • 1,949
  • 3
  • 29
  • 71
  • Hi Jesse, Better to upload the files into a non public folder like /project/images/user. Then you can use something like this to display the image (https://stackoverflow.com/questions/27402572/how-to-echo-image-that-is-outside-of-the-public-folder) – Perrykipkerrie Aug 06 '18 at 12:32
  • just allow only know extensions to be uploaded. .png, .jpg, .gif deny all others. the webserver will not interpret those files as php unless you specify it to run .png through the php engine. – Tschallacka Aug 06 '18 at 13:18

0 Answers0