XF 2.1 secure upload files on data and internal_data

[Radhi]

Hello
how to secure upload files on data and internal_data.

Since the folders have 777 permissions.
It is a high risk that may cause dangerous files to be uploaded.

 

[Kirby]

Those folders do not necessarily have to be 777 (in fact I'd recommend to never make them world writable); they only need to be readable/browsable/writable by the user running the PHP files and data needs to be readble/browsabe by the user running the webserver.

On our servers the data ist 755 and internal_data is 700, the files are 644.
(I probably might add code to further lower down permissions on internal_data)

 

[Radhi]

Those folders do not necessarily have to be 777 (in fact I'd recommend to never make them world writable); they only need to be readable/browsable/writable by the user running the PHP files and data needs to be readble/browsabe by the user running the webserver.

On our servers the data ist 755 and internal_data is 700, the files are 644.
(I probably might add code to further lower down permissions on internal_data)

Thank you
Ok, what should I do exactly for the passes, which are now 777
And if I return it 755, I cannot upload attachments to the forum.

 

[Kirby]

Well, it's your server - configure it properly

If you do not want the directories to be 777 make sure that the user executing the PHP files has write permission, either by running PHP as the user who owns the files/folders or via POSIX ACL.