1

I built a form that lets the user to upload files to a specific directory (apache2, php). I already limited file type and did some other security things. But I would anyway also like to deny the execution of those files to all. They're meant to be only downloaded. I've got the following code for htaccess, but it's a fake one, not sure of the syntax, nor if it's the right way of doing it:

<Location "/example/mydir/">
    <Files .>
        ForceType application/octet-stream
        Header set Content-Disposition attachment
    </Files>
</Location>

Could you please help me correct that code or change it to best practices?

Improve this question
3
  • Note that returning a different Content-type doesn't do what you really want, you have to disable PHP altogether and uploads of .htaccess, .ini files. Possible duplicate of stackoverflow.com/questions/1271899/…
    – 1lastBr3ath
    Commented May 30, 2018 at 3:03
  • I do not want to just disable php, I want to deny execution of any file type.I thought that by forcing download instead of execution I could avoid that.
    – Luca Reghellin
    Commented Jun 3, 2018 at 3:32
  • Download happens in browsers until when the file is already executed. So, even when you force php files to be downloaded, you'll get an HTML file and not PHP source code.
    – 1lastBr3ath
    Commented Jun 3, 2018 at 3:56

1 Answer 1

Reset to default
-1

If you want to make sure that the files are not executed, then the best way is to not let users access the files directly.

"But how do you download them if you cant access them?" you might ask. Answer is that you provide a public facing download script that fetches the local file and presents it as a forced download to the user.

You can look at this to see how that can be accomplished.

Improve this answer
1
  • 2
    Be careful when you do this! Simply taking a path and returning the content of the file will get you exploited pretty quickly.
    – user163495
    Commented Jul 15, 2019 at 15:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .