How can I prevent scripts from executing in a directory?

December 23rd, 2005, 4:08 pm

Code: [ Download ] [ Select ]

How can I prevent scripts from executing in a directory?

December 23rd, 2005, 4:11 pm

?!?

December 23rd, 2005, 4:24 pm

How can I prevent scripts from executing in a directory
eg. some H@X0R uploads *.php to uploads/

December 23rd, 2005, 4:27 pm

By writing secure scripts that don't allow potentially malicious uploads.

December 23rd, 2005, 4:32 pm

ok..but what if I wanted someone to upload a .php to share their source... but keep the extension. Valdation is one of the most stupidest ideas in Security I have heard.

December 23rd, 2005, 4:37 pm

If you want somebody to upload .php files to share the source, rename them to .phps when you save them out so they won't be executed.

December 23rd, 2005, 4:39 pm

yes.... But I want it so that they it is still php. It is possible,.
Or I will just to annoy you set my php so that every file ext is treated as PHP. Now figure out a way.

December 23rd, 2005, 4:41 pm

Now you figure it out.

If you're allowing people to upload and execute PHP files on your site, there's no way for you to automatically have your site detect potentially malicious scripts.

December 23rd, 2005, 4:45 pm

If you don't want to have these php uploads execute, why would you need the *.php extension?

December 23rd, 2005, 4:51 pm

You still don't get it do you?
If Mr X. uploads vvv.php then I don't want the php pre-process to look over it. Further mroe I would like that to happen in a dir not just a file.

December 23rd, 2005, 5:02 pm

We understand that you don't want *.php files to be parsed as php files in a certain directory, but if Mr. X is intelligent enough to be writing scripts he should surely be capable of saving his efforts as a text file before uploading.

folderit wrote:

It is possible,.

How comes you don't know how to do it if you know it's possible? For all I know it is possible; it just seems like a risk that's not necessary to take.

December 23rd, 2005, 5:23 pm

I'm not even 100% sure of what he's trying to do.

You want people to upload .php files, but you don't want them visible from the web?

Upload in a directory that's above your web root.

You want people to upload .php files, and you want them to display on the site? But not be runnable? So save as a .txt file or a .phps file, if they don't need to be executable, why the hell do they still need to have the .php file extension?

[joebert]

December 23rd, 2005, 6:21 pm

If it's an Apache server, I think the easiest way might be to add a ForceType directive for the uploads directory.

http://httpd.apache.org/docs/1.3/mod/mo ... #forcetype
http://httpd.apache.org/docs/2.0/mod/co ... #forcetype

Code: [ Download ] [ Select ]

<location /uploads>
  ForceType application/x-httpd-php-source
</location>

1. <location /uploads>
2.   ForceType application/x-httpd-php-source
3. </location>

December 24th, 2005, 6:17 pm

folderit wrote:

Valdation is one of the most stupidest ideas in Security I have heard.

That is one of the stupidest things I have ever heard....validation runs the web....get used to it.

You really would get better help if you weren't trying to act like you have the world by the balls. Maybe try being thankful instead of cocky and lazy.

That said, what is the purpose of this whole thing anyways? You can have a textarea that the user paste's the script in then you store it in a database....then only display it when you need to....and forget a directory all together....or you can go with Axe's solution, or you can go with Joebert's solution. If you don't want to do any of those, why don't you just sit back and wait to get hacked.

December 25th, 2005, 5:45 pm

Indeed. I think we've helped you as much as we can.

Quote:

You still don't get it do you?

This is a very bad attitude that no one should have. You can't expect us to know exactly what is in your head. We are not mind readers. Next time, try to be more specific on the details.