1

I built a form that lets the user to upload files to a specific directory (apache2, php). I already limited file type and did some other security things. But I would anyway also like to deny the execution of those files to all. They're meant to be only downloaded. I've got the following code for htaccess, but it's a fake one, not sure of the syntax, nor if it's the right way of doing it:

<Location "/example/mydir/">
    <Files .>
        ForceType application/octet-stream
        Header set Content-Disposition attachment
    </Files>
</Location>

Could you please help me correct that code or change it to best practices?

  • Note that returning a different Content-type doesn't do what you really want, you have to disable PHP altogether and uploads of .htaccess, .ini files. Possible duplicate of https://stackoverflow.com/questions/1271899/disable-php-in-directory-including-all-sub-directories-with-htaccess – 1lastBr3ath May 30 '18 at 03:03
  • I do not want to just disable php, I want to deny execution of any file type.I thought that by forcing download instead of execution I could avoid that. – Luca Reghellin Jun 03 '18 at 03:32
  • Download happens in browsers until when the file is already executed. So, even when you force php files to be downloaded, you'll get an HTML file and not PHP source code. – 1lastBr3ath Jun 03 '18 at 03:56

1 Answers1

-1

If you want to make sure that the files are not executed, then the best way is to not let users access the files directly.

"But how do you download them if you cant access them?" you might ask. Answer is that you provide a public facing download script that fetches the local file and presents it as a forced download to the user.

You can look at this to see how that can be accomplished.

Artog
  • 290
  • 2
  • 14
  • 2
    **Be careful when you do this!** Simply taking a path and returning the content of the file will get you exploited pretty quickly. –  Jul 15 '19 at 15:37