Preventing php/perl script execution of a user uploaded files while keeping them downloadable
16 Sep
You wrote a rather large PHP script which you would like to share with the world, lets say a small wordpress plugin. If you just upload it via the wordpress post publishing interface, you will find out that when you click the link in order to download it, instead of getting the browser’s download interface, the script is actually being executed on the server.\
This is why even small scripts are usually distributed as ZIP files, but if your site is running over an Apache web server there is a small and fast cure for the problem – just add the following line to the .htaccess file (you might need to create it) at the root of your uploaded file directory hierarchy ( [wordpress installation path]/wp-content/uploads in wordpress) :
AddType application/octet-stream .pl .cgi .php
This line will make Apache know that the PHP/PERL/CGI files at that directory should be treated as a simple stream of bytes and it will not try to execute them. On the other hand, the browser will know that it should not try to display the files, and will start a download process.
This is actually a kind of security feature. If you are running a site which lets other users upload files (a wordpress with multiple authors), you don’t want them to be able to upload executable scripts.
