0

I have a project where there is Log in/out functionality, and authenticated users can upload, download and delete files they own.

My question is: is it enough security for the files part of my project to escape file names with htmlentities() and to prevent users from opening the directory where files are located with 

<Directorymatch /cloud/>
        Order deny,allow
        Deny from all
</Directorymatch>

This means that if a .php file is uploaded, it cannot be run on my server by a user. Also if the file name contains scripts / html then it does not un.

What else am i missing in terms of security? I probably will be the only user of this bootleg "google drive", but i want to take security seriously. What am i missing?

Francesco Gorini
  • 11
  • 3

1 Answers1

0

You will need to ensure that your uploaded file are well sanitized and validated before being uploaded.

finfo_* library would be good but it will work with php >= 5.3.0 versions. The Stackoverflow link below has the best solution on how to validate and secure your file upload using the best security measures. Source Link

Again you may need to turn off php engine in the upload directory. so you can create a php.ini file and enter this line of code

engine = off

Updated section

You might use shell_exec() and exec() for testing things locally but you have to disable them in production because an attacker can use those shell command to obtain your system or files informations which might lead to compromise of your entire network.

For Instance take a look at the shell_exec() code below

<?php 

// Use ls command to shell_exec 
// function 
$output = shell_exec('ls'); 

// Display the list of all file 
// and directory 
echo "<pre>$output</pre>"; 
?>

Output:

transaction.php
index.html
moneyupdate.php

Now take a look at Exec() Code below

<?php 
// (on a system with the "iamexecfunction" executable in the path) 
echo exec('iamexecfunction'); 
?>

Output:

transaction.php

So in a nutshell its up to you to decide. If you are on share hosting please you will need to disable them because your hosting neighbor might inter-fer but if you are in a VPS or Dedicated, you might try it out on your own

Nancy Moore
  • 2,322
  • 2
  • 21
  • 38
  • Thank you for the answer! Do i really need to sanitize every file uploaded though? the code cannot run unless i open the file, which my php code never does? i only allow upload download and delete? Also a side question, is it safe to run shell comands to for example get the temperature of server cpu using `shell_exec()` and `exec()`? i hear that they should be disabled in php,ini file but i need them to get server information from terminal to php to webapge. Thanks in advance. – Francesco Gorini Mar 08 '19 at 02:41
  • Please see Updated section of my answer for more details and let me know – Nancy Moore Mar 08 '19 at 05:51
  • Thanks a lot, but my website requires to show the user the directory and its contents. What other option do i have for this other than `shell_exec("ls")` ? Should i store all file info in a database? but then how would i get its size and name and location? (Also i am hosting this on my headless raspberry, but i still want to take security seriously). – Francesco Gorini Mar 09 '19 at 06:07
  • I found the function `scan_dir()` that does the job. Thanks alot – Francesco Gorini Mar 09 '19 at 06:12