-2

I am using nginx and PHP, and want to allow images to be uploaded by my users, and placed into a public web accessible directory.

I currently have this rule defined:

location ~ /uploads {
    location ~ \.(jpg|gif|png)$ {}
    deny all;
}

If it's not a .jpg, .gif, or .png, then deny access to it.

That directory (/var/www/public/uploads) has permissions set to 744.

However, I don't know enough about various vulnerabilities with uploaded images to try my own exploits.

Ideally I'd like to make sure that anything ending in jpg, gif, or png is treated like the respective mime-type, so that no script interpreter will even attempt to execute it.

How do I accomplish this?

AgmLauncher
  • 189
  • 1
  • 1
  • 5

1 Answers1

1

You could have that directory backed by a filesytem with the "noexec" option applied. That's a good way to make sure nothing in there can be executed, even if something or someone manages to modify file permissions.

This can be done in your fstab like so after creating the filesystem (not a real line; update to match your own needs):

/dev/mapper/dedicated-filesystem /var/www/public/uploads ext4 noexec,nosuid 0 0

Alternatively, (albeit probably not as surely) you can use default ACLs to make all files created in that directory inherit permissions from the parent. You could enforce a 644 permission on all files this way. This doesn't stop something from changing those permissions after creation, though.

Spooler
  • 7,016
  • 16
  • 29
  • 1
    This does not help with PHP scripts, as PHP process manager doesn't look at executable bit when getting a request for `.php` file. – Tero Kilkanen Sep 27 '16 at 15:03