如何保护网络服务器的图像上传目录?
对于我的 Web 应用程序,人们可以将图像从 Web 表单上传到我的 Web 服务器。
我应该为该图像上传目录设置什么 CHMOD 设置,以便人们可以将图像(从网络服务器)上传到该目录,但出于安全原因不执行他们上传的任何文件。
chmod 设置是? :
chmod 744 directory/
For my web application, people can upload images from a web form to my web server.
What should I set the CHMOD settings for that image upload directory so that people can upload images (from the web server) to that directory but not execute any files they upload for security reasons.
Would the chmod settings be? :
chmod 744 directory/
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在这种情况下,“可执行”有两种可能的含义,并且这两种含义都是您需要配置的内容。
可以通过在 shell 中键入文件名来从命令行运行的可执行二进制文件
文件可以由 Web 服务器读取并作为脚本进行处理。
可以由
处理二进制可执行文件
要在 un*x 系统上针对情况 1 进行配置,您需要确保您的上传目录及其中的文件归 Web 服务器用户所有,并且只能由该用户读取。 该目录必须是可执行的; 这意味着可以访问该目录中的文件)。 如果网络用户需要列出目录中的文件,那么它也必须是可读的。 当然,它还必须可写才能创建新文件。
因此,您想要的八进制集将是
文件必须不可执行,并且只能由 Web 服务器读取和写入,因此这些应该是
请注意,这意味着只有 Web 服务器用户能够看到这些文件。 这是安全的最佳情况。 但是,如果您确实需要其他本地用户能够查看这些文件,那么请使用
处理 Web 服务器可执行文件
针对情况 2 进行编码是特定于 Web 服务器的。
一种选择是将上传目录放置在 webroot 之外,完全禁止直接 URL 访问上传的文件,并且只能通过服务器端代码提供这些文件。 您的代码读取并回显文件内容,从而确保 Web 服务器永远不会将其作为脚本处理。
另一个选项是将 Web 服务器配置为不允许对上传目录中的文件进行脚本处理。 此配置是特定于 Web 服务器的。 但是,例如,在 Apache 中,您可以通过输入服务器配置来实现此目的:
AllowOverride None 很重要,因为它会阻止任何人将 .htaccess 文件上传到您的上传目录并重新配置该目录的 Web 服务器权限。
There are two possible meanings for "executable" in this context, and both are things you need to configure against.
An executable binary file that may run from the command line by typing the file's name into a shell
A file that may be read and processed as script by a web server.
Handling binary-executable
To configure against case 1 on a un*x system, you need to ensure that your upload directory, and files therein, are owned by the web server user and only readable by that user. The directory must be executable; this means that the files inside that directory can be accessed). If the web user needs to list the files in the directory, it must also be readable. It, of course, must also be writable to allow new files to be created.
Thus the octal set you want would be
The files must not be executable and should only be readable and writable by the web server,so these should be
Please note that this means that only the web server user will be able to see these files. This is the best situation for security. However, if you really do need other local users to be able to see these files,then use
Handling web-server excutable
Coding against case 2 is web server specific.
One option is to place the upload directory outside of the webroot, dissalowing direct URL access to the uploaded files completely and only to serve them via server-side code. Your code reads and echoes the file content, thus ensuring it is never processed as script by the web server
The other option is to configure your web server to not allow script processing of files in the upload directory. This configuration is web-server specific. However, for example, in Apache you can achieve this this by entering into your server configuration:
AllowOverride None is important, as it stops anyone uploading a .htaccess file to your uploads directory and re-configuring the web server permissions for that directory.
对目录进行 Chmod 无法做到这一点,而且无论模式是什么,您的 Web 服务器都可能将 .php 解释为可执行文件。 您可能想要指定您正在使用的服务器,可能有一个 .htaccess 或类似的指令可以使用。
请注意,目录上的“执行”意味着“可以访问目录内的文件”,因此如果您希望 Web 服务器能够访问目录内的文件,则必须进行设置...
Chmod on the directory can't do this, and moreover your web server may interpret .php as executable no matter what the mode is. You'll probably want to specify what server you're using, there may be a .htaccess or similar directive you can use.
Note that 'execute' on directories means 'can access files inside the directory', so that must be set if you want your web server to have access to the files inside...