[pmwiki-users] Disallow scripts in upload directories

Oliver Betz list_ob at gmx.net
Sun Mar 31 08:16:06 CDT 2013


Petko Yotov wrote:

>One of the shared hostings I can test appears to have no way to prevent the  
>execution of a file.php.txt. They have some custom modified version of  
>Apache with PHP/FastCGI and "Options -ExecCGI" does nothing,  
>"SetHandler ...", "AddType ...", "ForceType ..." and other suggested  
>solutions cause internal server error.
>
>This is indeed a serious concern if a wiki allows uploads from not  
>completely trusted persons. I would advise to either disable uploads from  

in this case, I would set $EnableDirectDownload=0; and use a directory
outside DocumentRoot or disallow any access to files in this
directory.

>not completely trusted editors or upgrade to the most recent version and  
>configure the $UploadBlocklist array.

I suggest to preconfigure $UploadBlacklist in sample-config.php,
otherwise many users will not care about.

In addition to the already mentioned '.php', '.pl', '.cgi' I would
include at least:
.py, .htm, .shtm, .phtm, .pcgi, .asp, .js, .jsp, .sh

If I understand the code correctly, a ".php" entry prevents also .php4
etc., correct?

I think it would be a good idea to include also a warning in
sample-config.php about disabling script execution by .htaccess if
$EnableDirectDownload is set.

Oliver
-- 
Oliver Betz, Munich http://oliverbetz.de/




More information about the pmwiki-users mailing list