I have a service where a user is allowed to upload anything they please. I have code execution and others disabled, but I cannot find a way to prevent a .htaccess file they upload from executing.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a service where a user is allowed to upload anything they please. I have code execution and others disabled, but I cannot find a way to prevent a .htaccess file they upload from executing.
You should always rename user uploaded files! If you do not do that, user can easily upload
hack.phpand then launch it to get your site hacked or abused. So this is in fact your problem.Rename your files after upload. Keep original name (along with i.e. size, mime type etc) in database and route file download/view via the script which would take that original name from DB and build proper headers and then
file()content of that file to the user. That would prevent a file from being executable on your serverOr if that’s the problem with
.htaccessonly (but I dare to say it is wider) then you can configure apache to ignore .htaccess in certain directories. It requires root rights on the machine, but you can add<Directory FOLDER>block to host configuration and putAllowOverride Nonein it.Or, just check target filename on upload and reject any
.htaccessand.htpassword. Or anything with name starting with.