WebFaction
Community site: login faq

I originally asked this on Stack, thinking it's a basic-I-don't-understand-PHP question, but the answers I'm getting there indicate that it depends a lot on host specifics, so:

I'm trying to use this Dagon Design PHP form to help a local non-profit publication enable their readers to submit photos. I've got the "mailer" part working -- the notifications work fine -- but the "saving a file to a folder" part isn't functioning.

On the form page, the author says "the directory must have write permissions," but I'm not sure "who" is writing to that folder -- is this PHP script considered "Owner" when it saves something on my site? Or do I need to allow save permissions for Owner, Group and Others?

I'm not sure why the script isn't saving the photos, but this seems like a good place to start.

The page I'm clumsily trying to build is here, if that helps.

asked 04 Sep '12, 08:18

mattshepherd
4541830
accept rate: 0%


On our system, your PHP processes run as your own user, so you don't need to give write permission to group or other.

If you believe that the problem you're having is related to permissions, then try using 711 or 755 on the directory to which you're trying to upload files, and ensure that you have ownership of that directory.

permanent link

answered 04 Sep '12, 12:50

seanf
12.2k41836
accept rate: 37%

edited 04 Sep '12, 12:50

Good to know -- thanks, seanf. At least now I know it's not permissions...

(05 Sep '12, 06:35) mattshepherd

First off: Providing write access folders can be dangerous. The main reason being that if I (as an evil person) can write to that directory, I can write a script that lets me hack into your machine. You REALLY want to make sure that:

1) where-ever you're storing the files is somewhere that can't store something that could be run. (e.g. /$DOCROOT/photos since I could load a .php script and guess the path to run it.)

2) you run your server under an account like "nobody" that has permission to do very little on the machine. (So when someone breaks your security, they can't do much damage.)

That last one can be hard to do, particularly if you don't own the server you're running on.

Now, if your case, you wanted to know who to give write permissions to for the directory: (this presumes you're running Linux)

1) set the download destination directory to global write: chmod 777 /path/to/upload/directory

2) upload a file.

3) see who wrote the file: ls -l /path/to/upload/directory

You'll see something like: -rw-r--r-- 1 jrconlin 33280 2012-09-05 16:42 foo.bar

In this case, the file "foo.bar" was written by user "jrconlin". In an ideal world, you'd change the owner of that directory to be "jrconlin", and bolt down permissions accordingly. Sadly, that's probably not going to be possible (again, unless you own the box and have super user privileges).

So, instead, try the following, (presuming you're running apache) Create a /path/to/upload/directory/.htaccess (note the "." at the front) containing:

RemoveHandler .php
RemoveHandler .inc
RemoveHandler .pl
RemoveHandler .cgi
RemoveHandler .py
RemoveHandler .fcgi

This will prevent those scripts from being run. Obviously, this is not a perfect list, and you will need to add any additional files if you know or suspect them.

permanent link

answered 05 Sep '12, 11:25

jrconlin
11
accept rate: 0%

edited 05 Sep '12, 11:26

If I'm understanding you correctly, the risk is that somebody could upload a malicious script rather than a photo, right? Would setting acceptable file types to only .jpg, .png and .jpeg solve that problem (i.e. something like “type=file|class=|label=|fieldname=|[req=true]|[allowed=png,jpg,gif]”), or could people just upload PHP scripts with a false suffix and run them anyway?

(I've gone ahead and created the .htaccess file).

(05 Sep '12, 11:37) mattshepherd

Our system is configured like this:

<FilesMatch \.php$>
    SetHandler php52-fcgi
</FilesMatch>

That means only files whose name ends with ".php" will executed as PHP scripts.

So, if you validate your input and accept only image file extensions, then that will help the security of your application.

Using a "symbolic link to static-only" application to serve your uploads directory will provide additional security, since static-only apps are exactly that: static only.

(05 Sep '12, 11:42) seanf
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×262
×64
×3

question asked: 04 Sep '12, 08:18

question was seen: 24,734 times

last updated: 05 Sep '12, 11:51

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM