WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Using PHPS for showing off source, ideas, looking for feedback on idea. (3 posts)

  1. Mark / t31os
    Moderator
    Posted 4 years ago #

    Hi all,

    I've been having a mess around with some code for managing uploaded media, primarily uploading PHP and PHPS files, the latter being PHP Source, which is somewhat lacking information around the web.

    I've added some additional mime types to my test install, so i can uploaded PHP and/or PHPS files, i then use this for Plain Text style display. Of course i'm sure some of you are wondering what the security implications of this are... and this is really where my question starts..

    I'm using .htaccess to force the content type on any files in the uploads folder that match .php or .phps, i then call up these attachments via thickbox using the iframe method, the code is loaded as phps (or PHP source) which in short is a syntax coloured version of plain/text designed for showing off PHP code.

    I'm redirecting all requests to the files directly, and mapping new custom URLs to the orginal locations, here's an example.

    Actual Path: /wp-content/uploads/year/month/day/example.php
    After rewrite: /source/year/month/day/example/

    I've hooked into the appropriate places to ensure all attachment paths now reflect the custom URLs, meaning whenever a path to a php file in the uploads folder appears (in the media uploader or in a post) it's replaced with my custom URL equivalent.

    Everything works.. attachment pages can open a thickbox with phps formatted PHP code, which is much cheaper (performance wise) then the syntax highlighting plugins.

    The only concern i have is, whether i should be worried about placing PHP files into my uploads folder, even with the forced content type, am i putting myself at risk?

    Is there anyone here who can comment on the implications of using this approach? Am i safe?

    NOTE: I've not implemented this on my live site, it's just in a testing phase, and i'd like to get a little feedback on the idea..

    UPDATE: No longer need feedback on this, don't run self hosted WordPress on the web, now using a .com blog for posting blogs..

  2. Qurl
    Member
    Posted 4 years ago #

    What happens if someone starts a bit creative browsing? In stead of requesting /source/year/month/day/example/ the visitor requests /wp-content/uploads/year/month/day/example.php. It's not hard to find out if a site is using WordPress and most are using the same upload structure.

    I would recommend to move the fileystem upload directory out of the webroot, so the PHP(S) files can only be requested via a wrapper script. And please... do not just trust what the wrapper script receives for processing the PHP(S) files.

  3. Mark / t31os
    Moderator
    Posted 4 years ago #

    Although files may exist, for example..

    /wp-content/uploads/2010/01/example.php

    Any such requests would be sent to a 404... else the rewrites are pretty pointless, i might aswell use the real path if i don't redirect them..

    It's not about making the files hidden, but more about preventing people from doing a direct /wp-content/uploads/example.php request to look at the php/phps files..

Topic Closed

This topic has been closed to new replies.

About this Topic