[pmwiki-users] Disallow scripts in upload directories
5ko at 5ko.fr
Fri Mar 22 22:51:09 CDT 2013
Oliver Betz writes:
> >I'd like to read some opinions from different people about this question -
> >if you can do some tests on your own servers, please find out what .htaccess
> >settings disallow script execution for the uploaded files on your wiki, and
> >report here.
> Strange that nobody cares.
One of the shared hostings I can test appears to have no way to prevent the
execution of a file.php.txt. They have some custom modified version of
Apache with PHP/FastCGI and "Options -ExecCGI" does nothing,
"SetHandler ...", "AddType ...", "ForceType ..." and other suggested
solutions cause internal server error.
This is indeed a serious concern if a wiki allows uploads from not
completely trusted persons. I would advise to either disable uploads from
not completely trusted editors or upgrade to the most recent version and
configure the $UploadBlocklist array.
On another shared hosting the file.php.txt is not executed but causes
internal server error which means that their default installation has some
problem - the server tries to do something with this file instead of just
serving it as plain text. Your proposed solution for .htaccess works though.
> BTW: I asked in the apache user mailing list about "Options -ExecCGI"
> and "SetHandler default-handler" but didn't get any reply.
The Apache documentation is excellent but there are a huge number of
configuration options. On a particular installation not every option can
be selected, and not every problem can be reproduced by the other users, and
in that case the other users will not be able to help much. :-)
More information about the pmwiki-users