[pmwiki-users] Disallow scripts in upload directories, was: PmWiki 2.2.49 released
Oliver Betz
list_ob at gmx.net
Sat Mar 9 15:01:35 CST 2013
Petko Yotov wrote:
>This version adds an array $UploadBlacklist containing forbidden strings of
>an uploaded filename (case insensitive).
>
>Some Apache installations try to execute a file which has ".php", ".pl" or
>".cgi" anywhere in the filename, for example, "test.php.txt" may be
>executed. To disallow such files to be uploaded via the PmWiki interface,
>add to config.php such a line:
>
> $UploadBlacklist = array('.php', '.pl', '.cgi');
Thanks for this option, Petko.
In addition, I suggest to completely disallow execution of scripts in
upload directories.
For Apache .htaccess I found:
"Options -ExecCGI" - that's very effective in usual virtual hosting
environments but doesn't help for languages running as module.
"SetHandler default-handler" works also for script languages running
as module.
Before I add this information to the PmWiki documentation, I would
appreciate comments from people with better Apache knowledge.
Oliver
--
Oliver Betz, Munich http://oliverbetz.de/
More information about the pmwiki-users
mailing list