WebApp Sec mailing list archives
Re: Enabling PHP uploads
From: Markus Fischer <markus () fischer name>
Date: Wed, 26 Apr 2006 09:06:44 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johann Spies wrote:
I would like to hear from the members of this list their opinion about the safety of enabling php's upload abilities on a webserver with several clients. In the past I have declined requests to do so because it cannot be done on a per-user-basis as I understand it and because I was uncertain about the safety of such a setup.
If you're adventurous you could patch PHP so you can configure it per VirtualHost or even per <Directory>, the only thing is that there's maybe a reason it is not so. In main/main.c, if you search for "file_uploads", the third value in the line, PHP_INI_SYSTEM, defines at which points you can alter this value. If it would be like for the include_path, PHP_INI_ALL, it may be likely that you can alter it on a per-directory basis which is maybe sufficient for you. However when you allow .htaccess, this value may be changed by the user himself which is not want you want, as far as I understood you. There are other possible values for the third parameter, like PHP_INI_PERDIR, so maybe you can tune it the way you need it. HTH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFETxwE1nS0RcInK9ARAk+TAJ9ooca8JYCQ7tJNANaRFVmokLDW/ACgx4mS 1pMV4nzI7XE9RMb+PZC8A0o= =A7BI -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- Enabling PHP uploads Johann Spies (Apr 24)
- Re: Enabling PHP uploads Markus Fischer (Apr 26)