[Pmwiki-users] more thoughts on .htaccess
Patrick R. Michaud
Tue Dec 7 07:23:07 CST 2004
On Tue, Dec 07, 2004 at 01:20:55PM +0100, Joachim Durchholz wrote:
> [lots of useful information about .htaccess and Apache configuration]
First I just want to say thanks to Joachim for his excellent explanation
of .htaccess and performance (which I generally agree with). But on
the topic of uploads...
> >Should there be similar protection applied to the "uploads/" directory
> >to keep people from uploading scripts and executing them?
> Most definitely!!!
> That's even more important than on the local/ directory. End users don't
> have access to local/, but they do have access to uploads/ and can place
> arbitrary contents into it.
...arbitrary? Are you talking about arbitrary through PmWiki (which
disallows certain extensions) or arbitrary through the webserver?
> The standard policy for upload directories is:
> 1) Don't give out read access to anybody.
Without read access we can't see the list of currently attached files.
Oh, I suppose we could create a separate index file for that, but then
what's the point of disallowing read access?
> 2) Have some CGI code that takes the uploads, does any HTML quoting or
> whatever is necessary to render the contents harmless, and only after
> that copies the content to directories from which the uploads may then
> be served.
This is what PmWiki currently does, except it simply disallows
filetypes that might be dangerous, or otherwise mangles their filenames
to make sure they aren't dangerous.
...or am I totally misreading the point of your message, or some other
situation I have overlooked?
More information about the pmwiki-users