Hi Pierre, On Fri, Feb 6, 2015 at 1:16 PM, Pierre Joye <pierre....@gmail.com> wrote:
> > With SElinux, we can restrict access. However, PHP should be able to > > read/write > > uploaded files. PHP just read and execute them with include. > > Again, I am talking about executing files. You can exclude a file, > path, folder for being invoked with a handler or similar things on a > web server. It has nothing to do with the PHP ability to access this > file as normal data. That won't prevent a file_get_contents+eval but > you get the idea. > OK. > > > Is windows possible to prevent PHP to load script and execute? While > > allowing write/read access? > > Yes and no. It is a web server role. Linux allows access restrictions > too, windows only provides a much more fine grained ACL. But again, it > is not what I am referring to. > > > > I have similar idea for PHP to have data only dirs. > > We have that already, not for php, but for web servers. This is their > job to deal with that. Yes, indeed. engine=off per dirs. This is what I suggest people. It cannot prevent other dir's PHP scripts to load & execute. Public upload dir must have this setting. My idea is controlling it from PHP, not as web server management. It's better than per dir "engine=off". It's not too important for me now, so it's not my priority. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
