Blueimp Jquery File Upload Permission issue

Blueimp JQuery FileUpload  is probably the most common upload component used in PHP websites. The problem people sometimes face is that actual folder into which files are uploaded requires a 777 permission. This is a big security risk as anyone can upload any script into the folder and then execute it. Unfortunately the component does not work if you put the permission as 776 or 775.

Blueimp provides a workaround by adding an .htaccess file in the uploads folder. This forces any direct access to a file within the folder to be treated as a download , thus preventing any execution.

So if the uploads is folder is “photos/files” and if someone manages to upload a file called test.php using the upload component, then he can directly execute http://site.com/photos/files/test.php .

With the .htaccess in photos/files, the same url will show a download dialog.

download

 

 

 

 

 

 

 

 

 

 

 

 

The .htaccess file is given below:

ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch “(?i)\.(gif|jpe?g|png)$”>
ForceType none
Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

 

 

Save

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.