在php上保护上传表单

I am making a feature to my site so that users can upload files (any type). In order to secure the upload form, i made a blacklist of non-accepted filetypes. But in order to assure protection to my server (in case of uploading malicious scripts in any way) i thought to tar the uploaded files (using the tar class) so that they are stored as .tar zipped files. So if the user wants to donwload it, then he will receive a .tar file.

My question is, is this secure enough? (since the files cannot be executed then).

[I have this reservation as i can see at the code of tar class, the "fread()"]

Thanks!

Two points, here :

  • Using a blacklist is a bad idea : you will never think to all possible evil filetypes.
  • Do not store the uploaded files into a public directory of your server :
    • Store those files to a directory that is not served by Apache, outside of your DocumentRoot.
    • And use a PHP script (even if Apaches cannot serve the files through HTTP, PHP can read them) to send those files contents to the user who wants to download them.
    • This will make sure that those uploaded files are never executed.


Of course, make sure your PHP script that sends the content of a file doesn't allow anyone to download any possible file that's on the server...

You can upload the files to an non web accessible location (under your webroot) and then use a download script to download the file.

The best way of handling uploaded files, in my opinion, is to place them in a folder that's not reachable through HTTP. Then when a file is requested, use a PHP file to send then download headers, the use readfile() to send the file to the user. This way, files are never executed.

That might work, assuming that you're users that will download the files can untar them (most non UNIX systems just have zip, I'd give them the option to download either format).

Also, i think its better to create a list of allowed files vs banned files. Its easy to forget to ban a specific type; whereas you will probably have a better idea of what users can upload

Dont block/allow files on extension. Make sure you are using the mime type that the server identifies the file as. This way its hard for them to fake it.

also, store the files in a non web accessible directory and download them through a script.

Even if its a bad file, they won't be able to exploit it if they can't directly access it .

When saving the files make sure you use these functions: http://php.net/manual/en/function.is-uploaded-file.php http://php.net/manual/en/function.move-uploaded-file.php

Dan