Re: [PHP] User question for PHP
To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Hope that helps, Andy
Re: [PHP] Can i take the variable name in a function?
Would something like this work?
Definition:
function example($$ex) {
echo Variable Name is $ex;
}
example($ball);
I'm fairly new to php and not so familiar with variable variables, but I
thought I'd throw it out there as a thought!
Andy
On 10/11/06, Jochem Maas [EMAIL PROTECTED] wrote:
Jônata Tyska Carvalho wrote:
How can i take the variable name inside a function, ex:
definition:
function example( $ex ){
echo Variable Name is $ex ; // how to do this?
}
use:
example($ball);
output: Variable Name is ball;
another:
example($sportCar);
output: Variable Name is sportCar;
is that possible?
no.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can i take the variable name in a function?
u no... I suppose I should have though! :)
On 10/11/06, Jochem Maas [EMAIL PROTECTED] wrote:
Andy Hultgren wrote:
Would something like this work?
did you try it? ;-)
it won't work
Definition:
function example($$ex) {
echo Variable Name is $ex;
}
example($ball);
I'm fairly new to php and not so familiar with variable variables, but I
thought I'd throw it out there as a thought!
Andy
On 10/11/06, *Jochem Maas* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
Jônata Tyska Carvalho wrote:
How can i take the variable name inside a function, ex:
definition:
function example( $ex ){
echo Variable Name is $ex ; // how to do this?
}
use:
example($ball);
output: Variable Name is ball;
another:
example($sportCar);
output: Variable Name is sportCar;
is that possible?
no.
--
PHP General Mailing List ( http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can i take the variable name in a function?
Check this out: http://www.php.net/manual/en/functions.arguments.php
Specifically this example:
Making arguments be passed by reference
By default, function arguments are passed by value (so that if you change
the value of the argument within the function, it does not get changed
outside of the function). If you wish to allow a function to modify its
arguments, you must pass them by reference.
If you want an argument to a function to always be passed by reference, you
can prepend an ampersand () to the argument name in the function
definition:
*Example 17-6. Passing function parameters by reference*
?php
function add_some_extra($string)
{
$string .= 'and something extra.';
}
$str = 'This is a string, ';
add_some_extra($str);
echo $str;// outputs 'This is a string, and something extra.'
?
I think that does what you want?
Andy
On 10/11/06, Jônata Tyska Carvalho [EMAIL PROTECTED] wrote:
I know that function does not work, but im asking if someone know a way to
do that.
Someone know how ???
On 10/11/06, Andy Hultgren [EMAIL PROTECTED] wrote:
u no... I suppose I should have though! :)
On 10/11/06, Jochem Maas [EMAIL PROTECTED] wrote:
Andy Hultgren wrote:
Would something like this work?
did you try it? ;-)
it won't work
Definition:
function example($$ex) {
echo Variable Name is $ex;
}
example($ball);
I'm fairly new to php and not so familiar with variable variables,
but I
thought I'd throw it out there as a thought!
Andy
On 10/11/06, *Jochem Maas* [EMAIL PROTECTED]
mailto: [EMAIL PROTECTED] wrote:
Jônata Tyska Carvalho wrote:
How can i take the variable name inside a function, ex:
definition:
function example( $ex ){
echo Variable Name is $ex ; // how to do this?
}
use:
example($ball);
output: Variable Name is ball;
another:
example($sportCar);
output: Variable Name is sportCar;
is that possible?
no.
--
PHP General Mailing List ( http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Jônata Tyska Carvalho
-
-- Técnico em Informática pelo Colégio Técnico Industrial (CTI)
-- Graduando em Engenharia de Computação
Fundação Universidade Federal de Rio Grande (FURG)
[PHP] Problem receiving POSTed data
Hi everyone,
So, I'm trying to receive POSTed data which is being sent from Flash
structured as a nested array pictured (conceptually):
id contains (a, b, c)
a contains (prop1 = a1, prop2 = a2, ...)
b contains (prop1 = b1, prop2 = b2, ...)
c contains (prop1 = c1, prop2 = c2, ...)
where a1, a2, b1, b2, c1, c2 are values stored in the keys prop1, prop2 etc.
of their respective arrays. That's the conceptual structure, but that isn't
how the information is passed to PHP from Flash. In Flash (which uses .
notation for arrays), the data is packaged with a LoadVars object (for those
who care) as follows:
postObject.id1
postObject.id1.prop1 = a1
postObject.id1.prop2 = a2
...
postObject.id2.prop1 = b1
postObject.id2.prop2 = b2
...
etc.
I *think* this data *should be* received by PHP (with dots converted to
_ since that's what I've read php does) in the $_POST array as follows:
$_POST contains (id1 - a, id1_prop1 - a1, id1_prop2 - a2, ..., id2 - b,
id2_prop1 - b1, id2_prop2 - b2, ...)
However, that's not what I appear to be getting from the $_POST array. When
I run this code:
/*/
$data = $_POST;
$stuff = \n \n Post contains:;
foreach($data as $prop = $val) {
$stuff .= \n {$prop}: {$val};
}
/*/
and write $stuff to a .txt file, I get the following output:
Post contains:
id1: a
id2: b
id3: c
and that's it! No information at all about id1_prop1, id1_prop2, id2_prop1,
etc etc.
I am really stuck at this point. Does anyone know how multidimensional
information is passed to the $_POST variable? I know it can be done with
HTML forms and arrays, but I'm using flash and so I think my
multidimensional array of information simply gets flattened into a
one-dimensional array when POSTed as a described above (since Flash uses dot
notation for arrays and php changes dots to underscores and just makes it
one long variable name). And that would work fine if that's what it was
doing, but, for some reason, $_POST doesn't seem to be receiving the second
array dimension at all which contains all of my property information (which
should have been flattened into the first dimension).
If that's doesn't make any sense please let me know and I will attempt to
clarify. Otherwise, any and all help is very much appreciated!
Andy
Re: [PHP] Problem receiving POSTed data
Hang on - my php code may be working fine. It might be a problem with my
actionscript code - particularly that the LoadVars object I'm using to send
the data might not be able to take multidimensional data (though it
definitely does not say that *anywhere* in the documentation!!). Stupid
actionscript documentation.
Raphael, here is the code I am using (I am iterating through all of the
movieclips in my flash doc and gathering data on their name and position):
/*/
for(var i in _level0) {
if(typeof(_level0[i]) == movieclip) {
data_lv[i] = _level0[i];
data_lv[i].id = _level0[i]._name;
data_lv[i].x = _level0[i]._x;
data_lv[i].y = _level0[i]._y;
}
}
data_lv.sendAndLoad(myScript.php, data_lv, POST);
/**/
The odd thing is that I print out the contents of data_lv and everything is
there as expected in multidimensional form so I thought that was working
fine, but someone on a flash message board just posted saying they thought
LoadVars objects could not handle multidimensional data. So maybe even
though the contents of the object print as expected, it doesn't send as
expected. I'll try this in a completely one-dimensional array from flash to
php and see if it works. If it does, I'll let everyone know.
Andy
On 10/6/06, Raphael Martins [EMAIL PROTECTED] wrote:
Did you explicitly checked if the id1 'a' prop isn´t an array?
Can you post your ActionScript codemaybe it´ll help!
:D
Good Luck
2006/10/6, Andy Hultgren [EMAIL PROTECTED]:
Hi everyone,
So, I'm trying to receive POSTed data which is being sent from Flash
structured as a nested array pictured (conceptually):
id contains (a, b, c)
a contains (prop1 = a1, prop2 = a2, ...)
b contains (prop1 = b1, prop2 = b2, ...)
c contains (prop1 = c1, prop2 = c2, ...)
where a1, a2, b1, b2, c1, c2 are values stored in the keys prop1, prop2
etc.
of their respective arrays. That's the conceptual structure, but that
isn't
how the information is passed to PHP from Flash. In Flash (which uses
.
notation for arrays), the data is packaged with a LoadVars object (for
those
who care) as follows:
postObject.id1
postObject.id1.prop1 = a1
postObject.id1.prop2 = a2
...
postObject.id2.prop1 = b1
postObject.id2.prop2 = b2
...
etc.
I *think* this data *should be* received by PHP (with dots converted to
_ since that's what I've read php does) in the $_POST array as
follows:
$_POST contains (id1 - a, id1_prop1 - a1, id1_prop2 - a2, ..., id2 -
b,
id2_prop1 - b1, id2_prop2 - b2, ...)
However, that's not what I appear to be getting from the $_POST
array. When
I run this code:
/*/
$data = $_POST;
$stuff = \n \n Post contains:;
foreach($data as $prop = $val) {
$stuff .= \n {$prop}: {$val};
}
/*/
and write $stuff to a .txt file, I get the following output:
Post contains:
id1: a
id2: b
id3: c
and that's it! No information at all about id1_prop1, id1_prop2,
id2_prop1,
etc etc.
I am really stuck at this point. Does anyone know how multidimensional
information is passed to the $_POST variable? I know it can be done
with
HTML forms and arrays, but I'm using flash and so I think my
multidimensional array of information simply gets flattened into a
one-dimensional array when POSTed as a described above (since Flash uses
dot
notation for arrays and php changes dots to underscores and just makes
it
one long variable name). And that would work fine if that's what it was
doing, but, for some reason, $_POST doesn't seem to be receiving the
second
array dimension at all which contains all of my property information
(which
should have been flattened into the first dimension).
If that's doesn't make any sense please let me know and I will attempt
to
clarify. Otherwise, any and all help is very much appreciated!
Andy
Re: [PHP] Problem receiving POSTed data
Am working on #2 right now...
On 10/6/06, Richard Lynch [EMAIL PROTECTED] wrote:
On Fri, October 6, 2006 4:01 pm, Andy Hultgren wrote:
/*/
$data = $_POST;
$stuff = \n \n Post contains:;
foreach($data as $prop = $val) {
$stuff .= \n {$prop}: {$val};
}
/*/
pre?php var_dump($_POST);?/pre
PHP does pretty minimal munging of the POST data.
It's unlikely that Flash is sending what you think it's sending.
Even if it is, you have two options:
1. Use HTTP_RAW_POST_DATA (turn it on in PHP) and write your own Flash
array parser in PHP.
2. Convince Flash to POST data more like PHP wants it:
id[a][prop1]=a1id[a][prop2]=a2id[b][prop1]=b1...
#2 will probably be WAY easier, unless Flash is even more broken than
I think. And I think Flash is pretty broken. :-)
--
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
Re: [PHP] Problem receiving POSTed data
Problem solved: it was indeed that the flash object did not like
multidimensional data.
I didn't change my PHP code one little bit. But I changed my my
ActionScript code to write the data in a 1-dimensional form as follows:
/*/
for(var i in _level0) {
if(typeof(_level0[i]) == movieclip) {
data_lv[i + _path] = _level0[i];
data_lv[i + _id] = _level0[i]._name;
data_lv[i + _x] = _level0[i]._x;
data_lv[i + _y] = _level0[i]._y;
}
}
data_lv.sendAndLoad(myScript.php, data_lv, POST);
/**/
This works perfectly and php receives all of the data correctly. Thanks
guys for your thoughts. I'm going to be posting an addition to the online
ActionScript documentation to hopefully help others avoid this pitfall!
Andy
On 10/6/06, Andy Hultgren [EMAIL PROTECTED] wrote:
Am working on #2 right now...
On 10/6/06, Richard Lynch [EMAIL PROTECTED] wrote:
On Fri, October 6, 2006 4:01 pm, Andy Hultgren wrote:
/*/
$data = $_POST;
$stuff = \n \n Post contains:;
foreach($data as $prop = $val) {
$stuff .= \n {$prop}: {$val};
}
/*/
pre?php var_dump($_POST);?/pre
PHP does pretty minimal munging of the POST data.
It's unlikely that Flash is sending what you think it's sending.
Even if it is, you have two options:
1. Use HTTP_RAW_POST_DATA (turn it on in PHP) and write your own Flash
array parser in PHP.
2. Convince Flash to POST data more like PHP wants it:
id[a][prop1]=a1id[a][prop2]=a2id[b][prop1]=b1...
#2 will probably be WAY easier, unless Flash is even more broken than
I think. And I think Flash is pretty broken. :-)
--
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
Re: [PHP] File Upload Security and chmod
So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file (which I realized after reading the documentation that neither is supposed to do). Any ideas on functions that will give the full path of the inputted file? I've been searching the php documentation and general list but to no avail. On the plus side, I did get to practice writing information to a text file, so that was fun :) Thanks for the tips on the chmod requirements for the get_image_size() function, I'm all about keep permissions as strict as possible at this point! Crap, gotta use my brain, huh? :) Seriously, thanks for the overview on how security should be approached and for the advice to not take general security recommendations at face value but to give them some thought, given my unique situation. This is really good for me to learn now, while I'm still implementing my security rather than later when I might have to redo everything (or might have a gaping hole based on a poor assumption). At least I won't be storing anyone's financial information, so I should only be a target for people who just want to be mean, but not people who want to get free stuff from others credit info. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) Andy On 9/26/06, Richard Lynch [EMAIL PROTECTED] wrote: On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... Did they perhaps give you your own tmp directory elsewhere?... Sometimes you just need to poke at it to figure out where your tmp is, and then you can use the PHP functions that let you specify your own directory, but not the ones that assume that system /tmp is your tmp My host has a tmp dir I can use, but it ain't /tmp, and PHP routinely tries to use /tmp with some functions. G. So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). Yes. Though if file uploads are working at all, looking at the $_FILES array may give you a clue as to a directory that you maybe *can* access which is your own private tmp... -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). On the plus side, some of the coding gets real simple, since you are you, and you are never somebody else. :-) The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? PHP needs to read them for get_image_size, but not execute. Use minimum force needed. If you are flipping the chmod around within your scripts, that reduces your risk to however long the dir remains in its 0777 (or whatever) state, which is however long your script takes to process whatever it has to process in that state. So long exhaustive checks of the validity of a file are bad because that leaves that window open longer, but they're good because the file is then more likely to be kosher. -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I can name any file I want with .jpg and upload it. get_image_size() is good, as it checks the first N bytes -- But somebody somewhere can construct a worm with the first N bytes that LOOK like a valid image, to get_image_size() A human eyeball check would be even better, as then you *know* that a much larger number of bytes are a valid image. It could still be image+worm with the worm
Re: [PHP] File Upload Security and chmod
Well, seeing as I have no directory anywhere in my file structure called /tmp and yet my file uploads are still working, it would appear that my temporary file upload directory /tmp given by php_info() is somewhere outside of my root directory. So that's good news! That's were I'll be doing my file checks anyway before moving any files into my root directory. Anyway, at this point it looks like I need to buckle down and do some thinkin'. Thank you everyone for your advice, I really really appreciate it!! You guys have given me a really good foundation to start from on these questions of site security, and I appreciate you taking the time to pass on your expertise to a newcomer. All the best, Andy On 9/27/06, Richard Lynch [EMAIL PROTECTED] wrote: On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote: So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. /tmp means the /tmp on the root of the hard drive, which your webhost allegedly isn't letting you share... HOWEVER: It is entirely possible (nay, even likely) that they have you in a ch-rooted environment where your /tmp is not somebody else's /tmp so you'll just see /tmp and you don't have to worry about the fact that it's not really really /tmp but somewhere else... -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file If $_FILES['name']['tmp_name'] does already have the full path, something is very wrong on your system... Note that as soon as your upload-receiving script ends, the file is deleted. You *have* to use move_uploaded_file() on it in the upload-receiving script to save the file somewhere else, or it's just gonna go away, and you ain't gonna see it never again. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) :-) While there are obviously people out there who will just attack randomly, (spammers) I honestly believe that a valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a much less likely target for an actual human attack. I have absolutely zero evidence to support that claim, other than one site that's been wide open to abuse for most of a decade, and only the mindless spam-bots bother it... :-) -- Like Music? http://l-i-e.com/artists.htm
Re: [PHP] File Upload Security and chmod
Tedd,
Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out! I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection. Is it faster to establish an ftp
connection within PHP and then use the ftp series of functions to accomplish
all of the directory creation and permissions changes? If so, then I will
probably change my code to follow yours.
Andy
On 9/25/06, tedd [EMAIL PROTECTED] wrote:
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file, and so
I
have been leaving the .public_html/ directory alone since it is not my
root. I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.? I have my uploaded_images/
directory set at chmod 0100 and I can still browse to an uploaded image
from
my file upload page... Thanks for your response,
Andy:
I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.
Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.
As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.
So, the key problem is how to alter parent folder permissions.
With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.
Now, not all php ftp_commands are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.
You can also create new folders if you want using the command ftp_mkdir().
Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:
An example web path:
http://www.yourdomain.com/rw/tmp/text.txt
An example symbolic link:
public_html/rw/tmp/text.txt
The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.
Please let me know if this works for you -- watch for line breaks.
hth's
tedd
PS: I don't know what to say about your .public_html/ directory,
but I would just leave it alone.
---
// how to call the function
?php
$ftp_path = public_html/rw/; // note the ftp path
$theDir = tmp;
$theFile =text.txt;
FtpPerms($ftp_path, $theDir, $theFile);
?
// the function
?php
// create directory and change permissions via FTP connection
function FtpPerms($path, $theDir, $theFile)
{
$server='ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection
$user = you;
$pass = yourpassword;
$result = ftp_login($connection, $user, $pass); // login to ftp server
if ((!$connection) || (!$result))
{
echo(No connectionbr/);
return false;
exit();
}
else
{
echo(Made connectionbr/);
ftp_chdir($connection, $path); // go to destination dir
echo(Change permissionbr/);
$str=CHMOD 0755 . $theDir; // change permissions for dir (note the
space after 0775 )
ftp_site($connection, $str);
echo($strbr/);
$filename = $theDir/$theFile;
$contents = This is the contents of the file.;
echo(hrbr/Writing file br/br/);
$file = fopen( $filename, w );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);
echo(Change permissionbr/);
$str=CHMOD 0600 . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo($strbr/);
echo(Close connectionbr/);
ftp_close($connection); // close connection
}
}
?
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
Well, that didn't sound too good... So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). (Plus all the stuff talked about in the PHP Security Guide provided by the PHP Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of it that I can implement without having access to a directory outside of my webtree anyway). So, given this situation (if I've got it right), I have two questions: 1) With the above as is, am I just asking for anyone to come in and tear my site apart? I am not an experienced web developer (obviously), but I love to read. Is that enough to build a secure site, or am I just way in over my head? 2) Imaging that I can convince my host to rebuild my site so that I have access to directories outside of my webtree and can check and save uploaded files there, does that make the situation substantially better? Or is the PHP running as me thing enough alone to raise some serious serious problems (perhaps less around the image uploading but more around a login page or something)? As always, thank you so much for your help. Andy On 9/25/06, Richard Lynch [EMAIL PROTECTED] wrote: On Sun, September 24, 2006 11:04 pm, Andy Hultgren wrote: I really appreciate your help with this. To answer your first question: when people surf to my site they see the stuff next to (outside) .public_html/, not anything within .public_html/. (Thanks by the way for explaining the .dirName invisibility thing, that's one confusing thing not to worry about anymore!) Hmmm. Okay, so you definitely do not have any space outside the webtree. That's bad. Anything you upload is stuck being available to the public, to some degree. :-( You *may* be able to utilize /tmp See if you can write a short little script with http://php.net/tmpfile This will give you and idea if you can stash things in /tmp, at least until you can confirm that they are not Evil. To answer your second question: the uploadedFiles/ directory is 0100, but not the file. The uploaded file itself is 0640. So your login is allowed to read files within the directory, but not to list what's in the directory. Your login and your group can read the file itself. Your login can write the file as well. See next question/answer. Third question: it runs as the same username I use to login to my server's ftp site. This information wasn't in the output of the phpinfo() function (that I could find). I did some searching on php.net and found this entry under the get_current_user() function ( http://us3.php.net/manual/en/function.get-current-user.php, top user contributed note): ** *to get the username of the process owner (rather than the file owner), you can use: **?php $processUser = posix_getpwuid(posix_geteuid**()); print $processUser['name'**]; ? * ** I used this code to find out the user PHP runs as. Is that what you were looking for? Yes. And since PHP runs as you with your login, it can do everything listed above. So you probably cannot surf to the DIRECTORY and get a listing (even if DirectoryIndex is on) but if you know the name of the file in advance, you can surf to it. So if you want to make a file not readable, you have to chmod it so that *YOU* cannot read it. This will be a PITA because then you'll need to chmod it back any time you want to mess with it. As the owner of a file, you are allowed to chmod it so that you yourself cannot read it -- kind of like locking it away in a safe -- and then you have to chmod it back to readable (open the safe) to read it. You still own the file, so you can always chmod it anywhich way you want, at any time. Running your webserver as you gives it a lot of power
Re: [PHP] File Upload Security and chmod
Hey Tedd and Eric, Between the two of you and Richard Lynch's last post, I understand why I can use chmod() and mkdir() within php without having to use the ftp commands: I run on a server that is configured to run my php scripts as username (ie. me!) instead of as nobody (which is much more common). So my php scripts have powers which they probably shouldn't have. So, Tedd, you don't have to go back to the manual it looks like you are exactly right, I'm just on a goofy server which is the exception to the rule (for better or for worse). I really appreciate you guys jumping in a giving me a hand. Hopefully I get good enough at this that I can return the favor sometime!!! Andy On 9/25/06, Eric Butera [EMAIL PROTECTED] wrote: On 9/25/06, Andy Hultgren [EMAIL PROTECTED] wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy By using FTP you can specify which user account you want the connection to be established at. When running a PHP script the script will be running by the Apache server, which means it will have specific permission levels which cannot create directories or chmod unless Apache owns the parent directory. That is why Tedd went through all that trouble.
Re: [PHP] File Upload Security and chmod
Hi Tedd, Yes, when I browse to www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy On 9/23/06, tedd [EMAIL PROTECTED] wrote: At 7:19 PM -0600 9/22/06, Andy Hultgren wrote: For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Andy: Sorry, I didn't catch all of the thread, but this is my drift. When you access your site (http://yourdomain.com) via a browser, do you see the above index.htm? If so, and you want to stay with that host, then leave the .public_html/ folder alone, and build your site using WinFTP, or whatever. If you want to change permissions for a file from within a php script, then ftp into your site (using ftp_login), change the parent folder permissions, do your file thing (upload, delete, save, etc.), and then change the parent folder permissions back and it's done. At least that's the way I do it working on a shared host and it works for me. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com
[PHP] File Upload Security and chmod
Hi,
I am relatively new to php and am trying to set up a file upload
process for my website. I have read through the php security
documentation and a number of the security-related questions on these
lists and am attempting to implement as many of the measures as
possible.
One of the suggestions I have read is to have the uploaded files saved
somewhere outside of your root directory. Unfortunately I cannot do
that as my root directory is simply www.myDomain.com and not
.public_html/ and I am on a shared server where my root cannot be
changed (I have already asked). So, I am trying to keep the
permissions on my saved_files folder as tight as possible except
when the actual upload occurs. I this as follows:
1) The actual file upload comes through Flash8, and when the user
uploads a file it is sent to
www.domain.com/flash8directory/upload.php, which is in the same
directory as the Flash8 upload application.
2) upload.php first chmod 0740 the saved_files folder (which is
located at www.domain.com/flash8directory/saved_files/). Then it does
security checks to make sure an appropriate image has been uploaded,
and if everything looks good it moves the uploaded file to
saved_files.
3) The Flash8 upload application is notified of the completion of the
upload and downloads the new image it its viewer.
4) Once the download is complete and Flash8 no longer needs to work
with the file, the Flash8 application notifies a separate php script
by sending the variable complete=1 to lockdown.php (located at
www.domain.com/flash8directory/lockdown.php), which runs the following
simple script:
?php
$success = 0;
$complete = $_POST['complete'];
if ($complete==1) {
if(chmod(./saved_files, 0100)) {
success = yes;
echo success=yes;
}
}
?
This script works and saved_files is set to chmod 0100, but here is
the problem. If I then navigate directly to the url of the uploaded
file by entering its path in my
browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
the uploaded file appears in my browser! However, if I then refresh
the browser I get the desired error message saying I do not have
permission to access that file. Also, other browser windows never
have access to view the uploaded file, only the browser from which the
file was uploaded.
Any thoughts on why I can view the uploaded file even though it has
been set to chmod 0100? I'd really rather not have those files
accessible to anyone, as an extra security layer.
Thank you for your help!
Andy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Currently nothing is stored in my .public_html directory since it is not my root (and my website loads just fine when browsed to). I don't ftp in from DreamWeaver and it isn't an issue of going straight to public_html just to skip the cd step. public_html just isn't set up as my root directory and I have no directories accessable that are higher than my root. So, since I have no access to directories outside of my root, do you really think I should change that before allowing file uploads? (either by changing servers or just bugging my server adminstrator until he changes it). I currently check extension type and then image type using get_image_size(); and also files with image extensions are not executable on the server. However, from what I've read I understand that those steps are the minimum in terms of file upload security. Also, I'd be curious still to hear why I can browse to a file in a directory that has been set with chmod 0100. I really didn't expect that. Thanks again very much for your thoughts, Andy On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: I may have hit send too soon... Like, when you do FTP, do you see: index.htm page2.htm page3.htm right away? *OR*, do you see: public_html And then you do cd public_html and THEN you see the files? If you don't do cd public_html then I really don't think accepting file uploads is a Good Idea, unless you have access to /tmp or something to put the files in... If you do cd public_html then you actually HAVE space outside your webtree. Just do mkdir uploads and chmod 777 uploads *BEFORE* you do cd public_html and you'll have an uploads dir outside the webtree where you can put stuff. NOTE: Some fancy FTP tools like DreamWeaver and whatnot will convince you to put public_html into some input box somewhere, to give you the convenience of not needing to cd public_html -- which then means you never *SEE* that you have space outside your webtree... Stop doing that. An extra click or whatever to get into public_html is not that big of a deal. On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote: So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
