For my web application, people can upload images from a web form to my web server.
对于我的Web应用程序,人们可以将图像从Web表单上传到我的Web服务器。
What should I set the CHMOD settings for that image upload directory so that people can upload images (from the web server) to that directory but not execute any files they upload for security reasons.
我应该为该图像上载目录设置CHMOD设置,以便人们可以将图像(从Web服务器)上传到该目录,但出于安全原因不能执行他们上载的任何文件。
Would the chmod settings be? :
chmod设置会是吗? :
chmod 744 directory/
2 个解决方案
#1
There are two possible meanings for "executable" in this context, and both are things you need to configure against.
在此上下文中,“可执行文件”有两种可能的含义,两者都是您需要配置的内容。
-
An executable binary file that may run from the command line by typing the file's name into a shell
一个可执行的二进制文件,可以通过在shell中键入文件名从命令行运行
-
A file that may be read and processed as script by a web server.
Web服务器可以作为脚本读取和处理的文件。
Handling binary-executable
To configure against case 1 on a un*x system, you need to ensure that your upload directory, and files therein, are owned by the web server user and only readable by that user. The directory must be executable; this means that the files inside that directory can be accessed). If the web user needs to list the files in the directory, it must also be readable. It, of course, must also be writable to allow new files to be created.
要在un * x系统上配置案例1,您需要确保上载目录及其中的文件归Web服务器用户所有,并且只能由该用户读取。该目录必须是可执行的;这意味着可以访问该目录中的文件)。如果Web用户需要列出目录中的文件,那么它也必须是可读的。当然,它也必须是可写的,以允许创建新文件。
Thus the octal set you want would be
因此,你想要的八进制集
chown <web-server-user> <upload-dir>
chmod 0700 <upload-dir>
The files must not be executable and should only be readable and writable by the web server,so these should be
这些文件不能是可执行文件,只能由Web服务器读写,因此这些文件应该是可读写的
chmod 0600 <uploaded-file>
Please note that this means that only the web server user will be able to see these files. This is the best situation for security. However, if you really do need other local users to be able to see these files,then use
请注意,这意味着只有Web服务器用户才能看到这些文件。这是安全的最佳情况。但是,如果您确实需要其他本地用户才能看到这些文件,那么请使用
chmod 0755 <upload-dir>
chmod 0644 <uploaded-file>
Handling web-server excutable
处理Web服务器可删除
Coding against case 2 is web server specific.
针对案例2的编码是特定于Web服务器的。
One option is to place the upload directory outside of the webroot, dissalowing direct URL access to the uploaded files completely and only to serve them via server-side code. Your code reads and echoes the file content, thus ensuring it is never processed as script by the web server
一种选择是将上传目录放在webroot之外,完全不允许直接URL访问上传的文件,只通过服务器端代码提供服务。您的代码读取并回显文件内容,从而确保Web服务器永远不会将其作为脚本处理
The other option is to configure your web server to not allow script processing of files in the upload directory. This configuration is web-server specific. However, for example, in Apache you can achieve this this by entering into your server configuration:
另一个选项是将Web服务器配置为不允许脚本处理上载目录中的文件。此配置特定于Web服务器。但是,例如,在Apache中,您可以通过输入服务器配置来实现此目的:
<Directory "path-to-upload-dir">
AllowOverride None
Options -ExecCGI
</Directory>
AllowOverride None is important, as it stops anyone uploading a .htaccess file to your uploads directory and re-configuring the web server permissions for that directory.
AllowOverride None很重要,因为它会阻止任何人将.htaccess文件上传到您的上传目录并重新配置该目录的Web服务器权限。
#2
Chmod on the directory can't do this, and moreover your web server may interpret .php as executable no matter what the mode is. You'll probably want to specify what server you're using, there may be a .htaccess or similar directive you can use.
目录上的Chmod无法执行此操作,而且无论模式是什么,您的Web服务器都可能将.php解释为可执行文件。您可能想要指定您正在使用的服务器,您可以使用.htaccess或类似的指令。
Note that 'execute' on directories means 'can access files inside the directory', so that must be set if you want your web server to have access to the files inside...
请注意,目录上的“执行”意味着“可以访问目录中的文件”,因此如果您希望Web服务器可以访问其中的文件,则必须设置它...
#1
There are two possible meanings for "executable" in this context, and both are things you need to configure against.
在此上下文中,“可执行文件”有两种可能的含义,两者都是您需要配置的内容。
-
An executable binary file that may run from the command line by typing the file's name into a shell
一个可执行的二进制文件,可以通过在shell中键入文件名从命令行运行
-
A file that may be read and processed as script by a web server.
Web服务器可以作为脚本读取和处理的文件。
Handling binary-executable
To configure against case 1 on a un*x system, you need to ensure that your upload directory, and files therein, are owned by the web server user and only readable by that user. The directory must be executable; this means that the files inside that directory can be accessed). If the web user needs to list the files in the directory, it must also be readable. It, of course, must also be writable to allow new files to be created.
要在un * x系统上配置案例1,您需要确保上载目录及其中的文件归Web服务器用户所有,并且只能由该用户读取。该目录必须是可执行的;这意味着可以访问该目录中的文件)。如果Web用户需要列出目录中的文件,那么它也必须是可读的。当然,它也必须是可写的,以允许创建新文件。
Thus the octal set you want would be
因此,你想要的八进制集
chown <web-server-user> <upload-dir>
chmod 0700 <upload-dir>
The files must not be executable and should only be readable and writable by the web server,so these should be
这些文件不能是可执行文件,只能由Web服务器读写,因此这些文件应该是可读写的
chmod 0600 <uploaded-file>
Please note that this means that only the web server user will be able to see these files. This is the best situation for security. However, if you really do need other local users to be able to see these files,then use
请注意,这意味着只有Web服务器用户才能看到这些文件。这是安全的最佳情况。但是,如果您确实需要其他本地用户才能看到这些文件,那么请使用
chmod 0755 <upload-dir>
chmod 0644 <uploaded-file>
Handling web-server excutable
处理Web服务器可删除
Coding against case 2 is web server specific.
针对案例2的编码是特定于Web服务器的。
One option is to place the upload directory outside of the webroot, dissalowing direct URL access to the uploaded files completely and only to serve them via server-side code. Your code reads and echoes the file content, thus ensuring it is never processed as script by the web server
一种选择是将上传目录放在webroot之外,完全不允许直接URL访问上传的文件,只通过服务器端代码提供服务。您的代码读取并回显文件内容,从而确保Web服务器永远不会将其作为脚本处理
The other option is to configure your web server to not allow script processing of files in the upload directory. This configuration is web-server specific. However, for example, in Apache you can achieve this this by entering into your server configuration:
另一个选项是将Web服务器配置为不允许脚本处理上载目录中的文件。此配置特定于Web服务器。但是,例如,在Apache中,您可以通过输入服务器配置来实现此目的:
<Directory "path-to-upload-dir">
AllowOverride None
Options -ExecCGI
</Directory>
AllowOverride None is important, as it stops anyone uploading a .htaccess file to your uploads directory and re-configuring the web server permissions for that directory.
AllowOverride None很重要,因为它会阻止任何人将.htaccess文件上传到您的上传目录并重新配置该目录的Web服务器权限。
#2
Chmod on the directory can't do this, and moreover your web server may interpret .php as executable no matter what the mode is. You'll probably want to specify what server you're using, there may be a .htaccess or similar directive you can use.
目录上的Chmod无法执行此操作,而且无论模式是什么,您的Web服务器都可能将.php解释为可执行文件。您可能想要指定您正在使用的服务器,您可以使用.htaccess或类似的指令。
Note that 'execute' on directories means 'can access files inside the directory', so that must be set if you want your web server to have access to the files inside...
请注意,目录上的“执行”意味着“可以访问目录中的文件”,因此如果您希望Web服务器可以访问其中的文件,则必须设置它...