In my Laravel application, I am using Laravel File Manager to enable users to upload profile images to their profile.
These images are uploaded to /project/public/assets/uploads/images/{user}/
In a test I carried out, in which I made a POST request to the given route, I was able to upload and execute PHP script in these directories
My first thought was to change the contents of the upload folder to use stricter permissions, so I changed every file in the image folder to use the following Unix file permissions: 0644. This should in principle deny public executable action.
I tried the test again, I could still execute the script.
Failing to bar potentially dangerous uploads, is there a way to disable PHP in a given directory?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire