[Pmwiki-users] more thoughts on .htaccess

Patrick R. Michaud pmichaud
Tue Dec 7 07:23:07 CST 2004


On Tue, Dec 07, 2004 at 01:20:55PM +0100, Joachim Durchholz wrote:
> [lots of useful information about .htaccess and Apache configuration]

First I just want to say thanks to Joachim for his excellent explanation
of .htaccess and performance (which I generally agree with).  But on
the topic of uploads...

> >Should there be similar protection applied to the "uploads/" directory 
> >to keep people from uploading scripts and executing them?
> 
> Most definitely!!!
> That's even more important than on the local/ directory. End users don't 
> have access to local/, but they do have access to uploads/ and can place 
> arbitrary contents into it.

...arbitrary?  Are you talking about arbitrary through PmWiki (which
disallows certain extensions) or arbitrary through the webserver?

> The standard policy for upload directories is:
> 1) Don't give out read access to anybody.

Without read access we can't see the list of currently attached files.
Oh, I suppose we could create a separate index file for that, but then
what's the point of disallowing read access?

> 2) Have some CGI code that takes the uploads, does any HTML quoting or 
> whatever is necessary to render the contents harmless, and only after 
> that copies the content to directories from which the uploads may then 
> be served.

This is what PmWiki currently does, except it simply disallows 
filetypes that might be dangerous, or otherwise mangles their filenames
to make sure they aren't dangerous.

...or am I totally misreading the point of your message, or some other
situation I have overlooked?

Pm



More information about the pmwiki-users mailing list