Added security for uploads

schatzlab · May 31, 2016 · 89e54ef · 89e54ef
1 parent c2dc9e0
commit 89e54ef
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,8 @@
 user_data/*
+!user_data/.htaccess
 user_uploads/*
+!user_uploads/.htaccess
+
 !user_data/example*
 !user_data/index.html
 !user_uploads/index.html

diff --git a/file_upload.php b/file_upload.php
@@ -1,16 +1,8 @@
 <?php
 
-
-    $code = $_POST["code_hidden"];
+    $code = escapeshellarg($_POST["code_hidden"]);
     $name = "./user_uploads/" . $code;
 
     move_uploaded_file($_FILES['file']['tmp_name'], $name);
-
-    ////for debugging:
-    //file_put_contents( 'yowtf', print_r($_POST["code_hidden"], true));
-    //
-    //
-    //file_put_contents( 'yohai', print_r($name, true));
-    //
 
 ?>
diff --git a/user_data/.htaccess b/user_data/.htaccess
@@ -0,0 +1,2 @@
+php_flag engine off
+
diff --git a/user_uploads/.htaccess b/user_uploads/.htaccess
@@ -0,0 +1,2 @@
+php_flag engine off
+