disable user to upload certain file format from file manager

van helsing · Oct 9, 2012

Hello
I have a domain named xyz.com with a user say "ABC".I want to disable uploading of .exe files in public_html folder.
Please suggest me the way to make it user unable to upload *.exe file from file manager.

zEitEr · Oct 10, 2012

Hello,

Here you are:

PHP:

#!/usr/local/bin/php
<?

$command=getenv('command');
$action=getenv('action');

if ($command == "/CMD_FILE_MANAGER" && $action == "upload")
{
    foreach($_SERVER as $key => $val)
    {
        if(strpos($key,"file")===0)
        {
            $file=substr($val,0,-6);
            if (strpos($file,".exe")!==false){
                print "You seem to be uploading a file with forbidden extension <b>".htmlspecialchars($file)."</b>";
                exit(1);
            }
        }
    }
}
exit(0);

?>

You should add it into /usr/local/directadmin/scripts/custom/all_pre.sh

Code:

touch /usr/local/directadmin/scripts/custom/all_pre.sh
chmod 700 /usr/local/directadmin/scripts/custom/all_pre.sh

Note, the code could not be used in /usr/local/directadmin/scripts/custom/all_pre.sh if you have already there anything else.

This code relies only on filename, you are not protected if your user before uploading changes the filename, e.g.

from my.exe to my.tmp

and after uploading change the name back.

SeLLeRoNe · Oct 10, 2012

And neither if he upload using FTP Client i suppose.

Regards

zEitEr · Oct 10, 2012

I presume the author disabled *.exe in proftpd.conf already, if not then a solution would be to use PathDenyFilter of ProFTPd.

van helsing · Oct 10, 2012

PathDenyFilter is from proftpd. That part is already done.
I was asking solution for disabling file upload from file manager.
I am still working on that code only suggested by zEitEr but still getting some errors.

zEitEr · Oct 10, 2012

And what kind of errors do you face there?

Suurbier · Oct 10, 2012

You can still upload a file and change the extension to .exe! Or use htaccess to handle .whatever like .exe files. Oh and yes, also disable .scr because these files are executables too.

zEitEr · Oct 10, 2012

Yes, it's still possible to do so. Even if not via FTP or Directadmin File Manager... an user might be able to set up a special PHP/Perl script for managing/uploading/downloading/sharing such files. And the files can be stored on HDD named randomly and without extensions, and still PHP script which gives files for downloading will rename it as it's needed.

So of course there is no 100% protection, but still we do not know the whole situation of the TS, so the answer was given directly upon the question.

van helsing · Oct 10, 2012

There is some problem on applying this script in /usr/local/directadmin/scripts/custom/all_pre.sh as I already have script there for ip blocking.
What can be done using .htaccess?

zEitEr · Oct 11, 2012

What can be done using .htaccess?

Nothing...

There is some problem on applying this script in /usr/local/directadmin/scripts/custom/all_pre.sh as I already have script there for ip blocking.

Then you can put that code into

/usr/local/directadmin/scripts/custom/all_pre.php

Code:

touch /usr/local/directadmin/scripts/custom/all_pre.php

Code:

chmod 700 /usr/local/directadmin/scripts/custom/all_pre.php

and add this line

Code:

/usr/local/directadmin/scripts/custom/all_pre.php

into /usr/local/directadmin/scripts/custom/all_pre.sh

van helsing · Oct 11, 2012

Following the same code I am getting this error:

all_pre.php: line 2: ?: No such file or directory
all_pre.php: line 4: syntax error near unexpected token `'command''
all_pre.php: line 4: `$command=getenv('command');'

zEitEr · Oct 11, 2012

I guess you 've missed the very first line in the file:

Code:

#!/usr/local/bin/php
<?

van helsing · Oct 11, 2012

Line is already there...

SeLLeRoNe · Oct 11, 2012

Maybe he should use:

php /usr/local/directadmin/scripts/custom/all_pre.php

in all_pre.sh file and remove the first line.. and maybe also use <?php instead of just <? cause should be denied in php.ini

Regards

van helsing · Oct 11, 2012

After changing <? with <?php

Again same error:
all_pre.php: line 2: ?php: No such file or directory
all_pre.php: line 4: syntax error near unexpected token `'command''
all_pre.php: line 4: `$command=getenv('command');'

van helsing · Oct 11, 2012

Also added php /usr/local/directadmin/scripts/custom/all_pre.php in all_pre.sh but getting same output

zEitEr · Oct 11, 2012

It means that the file is not executed by php binary (is not recognized as PHP script).

What you see with

Code:

whereis php
which php

?

van helsing · Oct 11, 2012

the output of whereis php
php: /bin/php /usr/local/bin/php /usr/local/lib/php.ini /usr/local/lib/php /usr/local/php

which php
/usr/local/bin/php

zEitEr · Oct 11, 2012

OK, make sure, there is no single char in the very beginning of the file, no space, no tab, no anything else.
Your first char should be #, as the beginning of #!/usr/local/bin/php

van helsing · Oct 11, 2012

no space no tab nothing before #!/usr/local/bin/php in all_pre.php

disable user to upload certain file format from file manager

Verified User

Super Moderator

Super Moderator

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Verified User

Super Moderator

Verified User

Super Moderator

Verified User