My site has the ability to upload photos. In the script with saving the photos, their extension is checked - the last characters in the file name after the last dot. If the extension is not included in the list of valid (for example, png, jpg, jpeg, bmp, gif), then the file does not pass validation.

Question. Do I need to restrict rights to the folder where the photos are uploaded? I heard that for any folders where you can upload files, you need to disable execution (chmod). Or you can still like this:

<FilesMatch "\.([Pp][Hh][Pp]|[Cc][Gg][Ii]|[Pp][Ll]|[Ph][Hh][Tt][Mm][Ll])\.?.*"> Order allow,deny Deny from all </FilesMatch>

And if necessary, why do it? After all, so bad files cannot get into the folder.

  • It is necessary at the level of the web server (.htaccess) to prohibit the execution of scripts from any folders that are writable by the executed scripts themselves. And when files are uploaded to the user when they work, or even scripts just write their logs, it does not matter. Execution permission settings should protect against any errors in the application that allow you to write down what is being done - Mike
  • @Mike, and the code that I gave is enough? I'm talking about FilesMatch. - user153742
  • It prohibits simply accessing files with a specific extension. And it is necessary to prohibit the execution as such. those. Options -ExecCGI and php_flag engine off (for apache) (the global server configuration must allow the use of these options in .htaccess). Well, the .htaccess files themselves should not be writable. And even better in general in web server configurations (and not .htaceess), only allow execution in folders where you really have scripts - Mike
  • @Mike "(the global server configuration should allow the use of these options in .htaccess)." and how to allow to apply? what to change in a global config? - user153742

0