"差"应该避免在文件上传网站上的文件扩展名？ [英] "Bad" file extensions that should be avoided on a file upload site?

问题描述

我重新写一个文件托管站点，我想有能力托管每一个文件类型（而不是只有一个允许的扩展whilelist）运行nginx和linux。网站建立在PHP。我会禁用.php文件上传....但除此之外....还有什么我应该小心吗？

解决方案解决这个问题的一个更好的方法就是设置一个子主机（像files.somewhere.com）或一个目录，并通过 .htacess 禁用执行。能够上传php脚本，但服务器将发送它而不是执行它）。

Im re-writing a file hosting site, and I want to have the ability to host every single file type (instead of just having a whilelist of allowed extensions).

Im running nginx and linux. Site is built in php. I'd disable th upload of .php files.... but other than that.... is there anything else I should watch out for?

解决方案

A cleaner maneer to solve the problem would be to setup a subhost (something like files.somewhere.com) or a directory, and disable execution via a .htacess (Users will be able to upload php script, but the server will send it instead of executing it).

这篇关于"差"应该避免在文件上传网站上的文件扩展名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！