This website uses Google Analytics and Advertising cookies, used to generate statistical data on how visitors uses this website (with IP anonymization) and to deliver personalized ads based on user prior visits to this website or other websites. [read more]
These cookies are disabled by default until your Accept/Reject Consent.
The Consent can be changed at any time by accesing the ePrivacy button located at the bottom of every page. Enjoy your visit!

An easy way to prevent execution of the public uploaded files

Ones of most headaches for web developers, are the public uploaded files.
You know, when the user, authenticated or not, has the ability to upload files on your server for public access.

First of all, the web developer must assure that the uploaded file is in the list of allowed file types. That's the easy part, but what if we want to prevent server side execution of the newly uploaded file?

If we have to deal only with images, there are techniques to check the file type and extension, and even server side image processing tools that can help.

Designed by Freepik
If more file types are allowed for public upload, we are getting in trouble. What if a user uploads a script (even one hidden behind a known extension/file type) intended for the server side execution. How do we prevent the file execution on the server?
Here comes in handy the NGINX (Web Server) used directly or as a proxy for the Apache Web Server.

And the solution is very simple.

Instruct NGINX to serve static files from your desired locations and thus prevents their execution

Just add this lines to the NGINX configuration for your site (host):
server {
   #serve desired files as static and thus prevents their execution
   location ~ ^/(public_assets|another_public_assets|private_files/public_files)/ {
      root /var/www/;
      access_log off;
      log_not_found off; 
      expires max;

The excerpt above instruct the NGINX server to directly serve the files (bypassing any another file handling) from within the declared locations (public_assets and another_public_assets and private_files/public_files).
Take a look at the private_files/public_files location, this rule is only for the "public_files" sub-folder, not for the entire "private_files" folder which would (and should) be protected for direct access.
The "root" part is the document root declared for the host.


Share this post on your favorite networks.
© Copyright 2017 | Just another information technology blog - All Rights Reserved