[pmwiki-users] Disallow scripts in upload directories
tamouse mailing lists
tamouse.lists at gmail.com
Fri Mar 22 23:42:03 CDT 2013
On Fri, Mar 22, 2013 at 10:51 PM, Petko Yotov <5ko at 5ko.fr> wrote:
> Oliver Betz writes:
>>
>> >I'd like to read some opinions from different people about this question
>> > -
>> >if you can do some tests on your own servers, please find out what
>> > .htaccess
>> >settings disallow script execution for the uploaded files on your wiki,
>> > and
>> >report here.
>>
>> Strange that nobody cares.
>
>
> One of the shared hostings I can test appears to have no way to prevent the
> execution of a file.php.txt. They have some custom modified version of
> Apache with PHP/FastCGI and "Options -ExecCGI" does nothing, "SetHandler
> ...", "AddType ...", "ForceType ..." and other suggested solutions cause
> internal server error.
If it's like the default config on my GoDaddy VPS, it is because the
FastCGI is set up to execute files matching "\.php" - i.e.
something.php, something.phps, something.php12345, something.php.txt,
and so on. They mistakenly forgot to include the $ terminator. I've
been over this with them time and again, and eventually just gave up.
More information about the pmwiki-users
mailing list