我正在执行一项使 PHP 文件上传安全的任务,我的客户希望遵循网站http://www.acunetix.com/websitesecurity/upload-forms-threat.htm上提到的指南
我们能够遵循本网站上提到的所有准则接受 htaccess 规则。他们提到要做以下事情。
Define a .htaccess file that will only allow access to files with allowed extensions.
Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory.
A typical .htaccess which allows only gif, jpg, jpeg and png files should include the following (adapt it for your own need). This will also prevent double extension attacks.
deny from all
<Files …