[Pmwiki-users] more thoughts on .htaccess

Joachim Durchholz jo
Fri Dec 10 03:46:36 CST 2004

Sorry for responding so late, the spam filter was a bit over-eager.

Patrick R. Michaud wrote:

> On Tue, Dec 07, 2004 at 01:20:55PM +0100, Joachim Durchholz wrote:
>>[lots of useful information about .htaccess and Apache configuration]
> First I just want to say thanks to Joachim for his excellent explanation
> of .htaccess and performance (which I generally agree with).

Thanks :-)

 >  But on the topic of uploads...
>>>Should there be similar protection applied to the "uploads/" directory 
>>>to keep people from uploading scripts and executing them?
>>Most definitely!!!
>>That's even more important than on the local/ directory. End users don't 
>>have access to local/, but they do have access to uploads/ and can place 
>>arbitrary contents into it.
> ...arbitrary?  Are you talking about arbitrary through PmWiki (which
> disallows certain extensions) or arbitrary through the webserver?

"Arbitrary" in the sense of "for webservers in general".
I wasn't aware that PmWiki has a file name policy in place - that 
removes quite a lot of potential security holes.
I'm not sure whether the client has any say on the names of the uploaded 
files. If not, disallowing read access on the uploads/ directory is just 
a way to protect end users from inadvertently seeing URLs that don't 
make sense to them anyway; if yes, disallowing read access plugs an 
attack vector directed from one end user against another one (the server 
isn't affected unless one can trick it into executing something that's 
in uploads/ - but even TWiki didn't do that *g*).

>>The standard policy for upload directories is:
>>1) Don't give out read access to anybody.
> Without read access we can't see the list of currently attached files.
> Oh, I suppose we could create a separate index file for that, but then
> what's the point of disallowing read access?

The idea is that the uploads/ directory is a quarantine area. It 
contains files that have been accepted but not yet been checked for 
conformance with whatever policy the site imposes on uploads, and/or not 
yet properly integrated into the site itself.

For example, a site might:
* want to run a virus scanner over uploaded contents
* check that files don't start with a shebang line
   (e.g. if the site has binfmt_misc in place)
* apply size limits (no uploads in excess of 50 KB)
   (I know this can be enforced via Apache, but the Apache limit may
   be over-general, e.g. we might want to restrict text files to 50K
   and images to 1MB)
* check file names (first letter not a dot, no executable extensions
   such as .php or .shtml)

The idea is that only policied data can be served. Set up a quarantine 
area so that data can only be uploaded into it, but not read, and have 
only checked and cleaned data wander from quarantine into the 
servable-content area.

> ...or am I totally misreading the point of your message, or some other
> situation I have overlooked?

There may be a confusion of terminology at work here. I took "uploads/" 
to be the directory into which uploaded files are immediately stored. If 
the uploads go into e.g. /tmp/ first, then /tmp/ can serve as quarantine 
area (and probably does).


More information about the pmwiki-users mailing list