httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Don't allow users to upload files
Date Thu, 20 Oct 2011 13:09:12 GMT
On Thu, Oct 20, 2011 at 1:53 PM, Hugo Gomes <hugo@lip.pt> wrote:
> Hi all,
>
>        I have a webserver where the users homes are copied to a folder, and I
> want to assume that users can not make a script (for instance .php) to
> let upload files.
>
>        In my httpd config file i have this directive that assumed it was
> enough, but now i saw that people can still upload files with some .php
> scripts that users have in their home.
>
>
>  <Limit GET POST OPTIONS PROPFIND>
>        Order allow,deny
>        Allow from all
>  </Limit>
>  <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
>        Order deny,allow
>        Deny from all
>  </Limit>
>
>
>        What configuration directive can i insert in the config file to don't
> allow users could upload files to their homes through php scripts
> (move_uploaded_file)
>
>

File uploads through PHP et al (as opposed to via WebDAV or mod_ftp)
are handled through POST requests. There may be PHP directives that
allow you to control this, but I'm not aware of them, try a PHP list.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message