我们能够遵循本网站上提到的所有指南,接受htaccess规则.他们提到要做以下事情.
Define a .htaccess file that will only allow access to files with allowed extensions.
Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory.
A typical .htaccess which allows only gif, jpg, jpeg and png files should include the following (adapt it for your own need). This will also prevent double extension attacks.
deny from all
order deny,allow
allow from all
If possible, upload the files in a directory outside the server root.
Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
Create a list of accepted mime-types (map extensions from these mime types).
Generate a random file name and add the previously generated extension.
Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.
这样就不会执行除gif,jpg和png之外的其他文件了.但是他们不希望htaccess位于我们上传图像的文件夹中,因为该文件夹具有权限并且htaccess可以被覆盖.所以他们告诉将文件保持在根级别.
我想知道,如果我们将文件保留在根级别并且只允许图像类型执行,那么我的php脚本将如何执行?当我在根级别添加此htaccess时,当然我的php脚本不起作用并返回权限错误.努力工作以解决这个问题.
你能帮助我做这个工作或任何其他有效的方法来进行这种安全检查.我们不想在系统上留下安全漏洞.
任何帮助将不胜感激.
谢谢你们.
解决方法:
代码可以编码为图像文件,因此您应该禁用此目录的PHP引擎:
php_flag engine off
或者,如果您无法在.htaccess文件中设置它,那么您可以在httpd.conf或vhost conf文件中执行此操作:
# ...
deny from all
order deny,allow
allow from all
php_flag engine off
标签:php,file,security,upload,htaccess
来源: https://codeday.me/bug/20190626/1292965.html
232
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
