Why my ojs 3.5 website is allowing author to upload index.php file?
In short, because a journal may legitimately want to include PHP files as part of a submission. For example, a Computer Science journal might have code attachments to submissions.
You are protected from these being used maliciously by keeping them in a file store on the server that is not web accessible. See the installation form, configuration file, and documentation for instructions on how to make sure this is the case.
If you want to control what types of files can be sent with submissions, there is a 3rd party plugin called Allowed Uploads.
Regards,
Alec Smecher
Public Knowledge Project Team
1 Like
thanks for your kind information @asmecher
This topic was automatically closed after 12 days. New replies are no longer allowed.
Hi!
Just to complement, .php files are stored in the disk with a .txt suffix, so your devtest.php will be stored as devtest.php.txt. This will be applied to:
- Files without extension
- The
phpextension - Extensions longer than 6 characters (e.g.
.htaccess) - Extensions with unexpected characters (any character out of the range
a-z,0-9and_)
Of course, from the safety perspective, we can’t offer a perfect solution at this point, as a server can be configured to run .doc files as PHP, .aspx files as a C# script and so on… So the recommendation of Alec is the best for now (there’s another issue in GitHub, to keep all the application files in a not web-accessible folder, which should highly improve the security).
Best,
Jonas Raoni