问题描述
我见过很多上传表单被黑客入侵,其中一些对正在上传的文件进行了一些非常好的安全检查(至少我是这么认为的),但仍然有人设法上传了一个 PHP 文件.
I have seen a lot of upload forms hacked, and some had some really good security checks of the file being uploaded (at least I think so), but still somebody managed to upload a PHP file.
我想知道:有没有办法在具有 777 权限的上传文件夹中上传文件?我正在考虑使用 HTTP PUT.
I was wondering: is there is a way to upload a file in the uploads folder that has 777 permissions? I am thinking of using HTTP PUT.
推荐答案
一般来说 777 几乎是不安全...这意味着任何人都可以读取和写入您的文件.
In general 777 is about as insecure as it gets... that means anybody can read and write to your files.
如果您允许在您的服务器上执行上传的文件,那么 HTTP PUT 本质上并不比 HTTP POST 更安全.
HTTP PUT isn't inherently any more secure than HTTP POST if you're allowing the uploaded files to be exceuted on your server.
总体而言,如果您允许执行任意文件,则需要在服务器端进行非常好的文件检查,并且在服务器上使用 chroot 是明智的.
Overall, if you are allowing arbitrary files to be executed you need to be doing very good file checking server-side, and using chroot on the server would be wise.
在权限方面,我通常将任何可通过网络访问的内容设置为网络服务器用户拥有的 644.
Permission-wise, I generally set anything web-accessible to 644 owned by the webserver user.
这篇关于设置上传文件夹 777 权限是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!