{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 来,给爷笑一个 的问题《Disabling executable code (CGI/SSI/PHP/etc.) on a》','https://www.manongdao.com/q-604331.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have recently been tasked with opening a sub-domain of a small-scale website that allows trusted users to upload and store files as backups away from their local disks. In general, this new sub-domain will be used to store mainly static Office-type documents (e.g. Microsoft/OpenOffice documents, PDFs, plain text files etc).
I want to ensure that there is a no chance (or realistically, as little chance as physically possible) of a naïve user inadvertently uploading a potentially fatal file, e.g. some nasty PHP script. Ideally, I would like to close down PHP and anything else that could be a security risk (CGI processes, Server-Side Includes etc).
I was just wondering if the Stack Overflow community could help to answer the following question: What is the best way of shutting down all file types/processes that deal with dynamic/executable code, so in effect the the sub-domain is nothing more than a basic static file server?
I have had a look on Google using various keywords/phrases, but I cannot seem to find a good reference to making a sub-domain “safe” as it is possible to do from somebody with a shared server's level of authority.
The website runs on Apache 2.2 on a typical LAMP architecture, and is hosted on a third party shared server.
I DO have access to:
.htaccess(directory level with typical privileges/restrictions)php.iniand.user.ini(directory level with typical privileges/restrictions)- control panel software with some fairly generous options and features (cPanel X)
- fairly flexible web hosts with an excellent tech support service
I DO NOT have access to:
- root access (obviously!)
httpd.confphp.ini(application server level)mysql.cnf
Please bear in mind that I do not have the resources to just invest in a file server or outsource it to a third-party service. Also, this server is not going to be used in a CDN sense, so performance is not really an issue.
(Also, I don't know what can be done about client-side scripts, e.g. JavaScript/VBScript, but any suggestions would be welcome.)
Thanks in advance!
Simple. Don't provide direct access to the files. Run EVERYTHING through a PHP script, which serves up the content as
application/octet-stream. e.g.With this it doesn't matter AT ALL what kind of file they upload - it will never be directly accessible via a direct
http://example.com/nastyfile.php-type URL. And if you store the files on the drive using only their internal ID number, and not their user-provided filename, you gain even more security. A webserver might try to executenastyscript.php, but if it's just12345on the drive, the server won't know what to do with it.