如何保护 Web 服务器的图像上传目录? [英] How do i secure a web server's image upload directory?
问题描述
对于我的网络应用程序,人们可以将图像从网络表单上传到我的网络服务器.
For my web application, people can upload images from a web form to my web server.
我应该为该图像上传目录设置 CHMOD 设置,以便人们可以将图像(从 Web 服务器)上传到该目录,但出于安全原因不能执行他们上传的任何文件.
chmod 设置会是什么?:
Would the chmod settings be? :
chmod 744 directory/
推荐答案
在这种情况下,可执行"有两种可能的含义,而这两种含义都是你需要配置的.
There are two possible meanings for "executable" in this context, and both are things you need to configure against.
一个可执行的二进制文件,可以通过在 shell 中键入文件名从命令行运行
An executable binary file that may run from the command line by typing the file's name into a shell
一个可以被读取并被网络服务器作为脚本处理的文件.
A file that may be read and processed as script by a web server.
处理二进制可执行文件
要在 un*x 系统上针对案例 1 进行配置,您需要确保您的上传目录和其中的文件归 Web 服务器用户所有,并且只能由该用户读取.该目录必须是可执行的;这意味着可以访问该目录中的文件).如果网络用户需要列出目录中的文件,它也必须是可读的.当然,它也必须是可写的以允许创建新文件.
To configure against case 1 on a un*x system, you need to ensure that your upload directory, and files therein, are owned by the web server user and only readable by that user. The directory must be executable; this means that the files inside that directory can be accessed). If the web user needs to list the files in the directory, it must also be readable. It, of course, must also be writable to allow new files to be created.
因此你想要的八进制集是
Thus the octal set you want would be
chown <web-server-user> <upload-dir>
chmod 0700 <upload-dir>
文件不能是可执行的,只能被web服务器读写,所以这些文件应该是
The files must not be executable and should only be readable and writable by the web server,so these should be
chmod 0600 <uploaded-file>
请注意,这意味着只有网络服务器用户才能看到这些文件.这是最安全的情况.但是,如果您确实需要其他本地用户能够看到这些文件,那么请使用
Please note that this means that only the web server user will be able to see these files. This is the best situation for security. However, if you really do need other local users to be able to see these files,then use
chmod 0755 <upload-dir>
chmod 0644 <uploaded-file>
处理网络服务器可执行文件
针对案例 2 的编码是特定于 Web 服务器的.
Coding against case 2 is web server specific.
一种选择是将上传目录放在 webroot 之外,完全禁止对上传文件的直接 URL 访问,并且只能通过服务器端代码提供这些文件.您的代码读取并回显文件内容,从而确保它永远不会被 Web 服务器作为脚本处理
One option is to place the upload directory outside of the webroot, dissalowing direct URL access to the uploaded files completely and only to serve them via server-side code. Your code reads and echoes the file content, thus ensuring it is never processed as script by the web server
另一个选项是将您的网络服务器配置为不允许对上传目录中的文件进行脚本处理.此配置是特定于 Web 服务器的.但是,例如,在 Apache 中,您可以通过输入服务器配置来实现此目的:
The other option is to configure your web server to not allow script processing of files in the upload directory. This configuration is web-server specific. However, for example, in Apache you can achieve this this by entering into your server configuration:
<Directory "path-to-upload-dir">
AllowOverride None
Options -ExecCGI
</Directory>
AllowOverride None 很重要,因为它会阻止任何人将 .htaccess 文件上传到您的上传目录并重新配置该目录的 Web 服务器权限.
AllowOverride None is important, as it stops anyone uploading a .htaccess file to your uploads directory and re-configuring the web server permissions for that directory.
这篇关于如何保护 Web 服务器的图像上传目录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
