[Pmwiki-users] Re: more thoughts on .htaccess

Joachim Durchholz jo
Fri Dec 10 07:20:40 CST 2004


Sorry for responding so late, my spam filter was over-eager.

Neil Herber wrote:
> At 2004-12-07  01:26 PM +0100, Joachim Durchholz is rumored to have said:
> 
>> Gunnar Wagenknecht wrote:
>>
>>> What you wanna do is to disallow some file extensions and to 
>>> downgrade scripts (php) to text files.
>>> AddType text/plain .php
>>
>> This doesn't help - all it does is instruct Apache to consider the 
>> output from the PHP script as text/plain. You have to use the 
>> AddHandler directive to disable scripting. (There's a handler that 
>> will convert PHP source code to nicely syntax-highlighted and 
>> nl2br-converted HTML code, which is usually associated with .phps 
>> files - I forgot its name, but Google should find it easily; I'd 
>> expect that it comes with the mod_php module and would be perfect for 
>> preventing .php files from executing, just associate that handler with 
>> .php and .php3 instead of the usual PHP handler.)
>>
>> Actually it's better to disallow downloads in general, then the 
>> handler associated with .php files doesn't matter.
> 
> I presume you mean to disallow uploads.

I meant "disallow downloads from the uploads/ directory in general".

> This might be excessively restrictive as long as the only upload method 
> is via PmWiki.

Such permissions can be given on a per-directory basis.

 > It provides some protection by limiting the allowable
> extensions on an upload as well as limiting the size of the upload. I 
> was initially concerned to see that ".exe" was an allowable extension in 
> the defaults, but that does not seem to pose any danger to the server. 

The server should never ever execute anything that comes from an upload!

> It certainly could pose a danger to a client who downloads the ".exe".

Yup - as does .scr, .pif, .doc, etc. etc. etc. (this applies to Windows 
only, Mac and Unix don't usually associate executability with filename 
extensions).

OTOH if PmWiki makes sure it displays the full filename including any 
extensions, the user is warned if he downloads something executable. I'd 
leave any extension-related restrictions out of any Wiki - that's just 
trying to be smarter than the end user.

It would also disable PmWiki as a software distribution platform (just 
make sure you download nothing from a page where everybody can upload 
attachments to *g*).

More useful is an indication who uploaded a file. That way, users can 
easily check whether they want to trust a file uploaded by a given person.
If it's not just the user name but also an indication of the user's 
status (group membership? - something along that line), users could 
adjust their trust based on group membership of the uploader. "herbert 
(admin)" just is far more trustworthy than just "herbert" :-)

Just my 2c.

Regards,
Jo



More information about the pmwiki-users mailing list