[Gllug] apache question

Richard Jones rich at annexia.org
Sat Apr 15 13:50:26 UTC 2006

On Sat, Apr 15, 2006 at 01:59:52PM +0100, Alain Williams wrote:
> I moaned to people to NOT put large attachments in email, but to put
> up links instead.  OK they said, but we don't have access to a web
> server where we can put things.  I have written a simple email
> handling script that saves files on a web server and returns them a
> URL that they can put into email to others on the mail list.
> It works well. It then occurred to me what happens if they put up a
> file: delete_everything.php ?
> Question: how to I get Apache to serve up all files in a particular
> directory as straight files, no trying to run as a CGI or whatever ?
> I want to allow that to still work in other directories.
> I have played with a few Options but have not got anywhere ...
> Suggestions SVP

Have you validated the names they supply?  I mean, what happens if
they upload a file called "../../../../var/www/index.html".  What
happens if they UTF-8 encode the slashes using illegal long-forms of

Basically, having people upload files to webservers and writing those
files to disk is a BAD idea.  It's very hard to get it right, and
mistakes can be damaging.

A better, safer, idea is to put the files into a database.  With
PostgreSQL you can just use a BYTEA field to store arbitrary data.
Then your URLs can look like:


(or with some mod_rewriting, like /downloads/1234) and your download
script can deliver a suitable MIME type, without fear that anything
will get executed on the server.


Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list