You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by rob gwin <ro...@earthlink.net> on 2004/03/18 23:43:03 UTC

[users@httpd] Best directive for prohibiting all script access

Hi, I've got a bunch of php apps running on redhat/apache1.3. Sometimes 
a client of mine needs an ftp dir somewhere in the webroot so they can 
upload images, html files, etc, and I want to prevent them from running 
any sort of script there. So far I've figured out that I can nest a 
<Files> inside a <Directory> for something like this:

<Directory /path/to/the/dir>
         <FilesMatch "\.(php|php3|php4|phtml)$">
                 Deny from all
         </FilesMatch>
</Directory>

..But I'm wondering if there's a better blanket-approach to this, where 
I don't have to explicitly declare every possible "unsafe" file 
extension every time (or conversely, declare all possible "safe" 
extensions). I just simply want to prohibit anything that may be 
interpreted or executed in the given dir; I feel like there oughtta be 
another way to look at it. Anyone?

Thanks!
rob


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Best directive for prohibiting all script access

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 18 Mar 2004, rob gwin wrote:
> ..But I'm wondering if there's a better blanket-approach to this, where
> I don't have to explicitly declare every possible "unsafe" file
> extension every time (or conversely, declare all possible "safe"
> extensions). I just simply want to prohibit anything that may be
> interpreted or executed in the given dir; I feel like there oughtta be
> another way to look at it. Anyone?

You can use
SetHandler default-handler
to turn off any fancy handlers.  But this probably won't work if you are
using magic-mime-types (like application/x-php-whatever) to configure your
scripts.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Best directive for prohibiting all script access

Posted by Daniel Guido <in...@speakeasy.net>.

well why dont you explicity DECLARE the only places you WANT scripts 
instead of the other way around?

dan

rob gwin wrote:

> Hi, I've got a bunch of php apps running on redhat/apache1.3. Sometimes 
> a client of mine needs an ftp dir somewhere in the webroot so they can 
> upload images, html files, etc, and I want to prevent them from running 
> any sort of script there. So far I've figured out that I can nest a 
> <Files> inside a <Directory> for something like this:
> 
> <Directory /path/to/the/dir>
>         <FilesMatch "\.(php|php3|php4|phtml)$">
>                 Deny from all
>         </FilesMatch>
> </Directory>
> 
> ..But I'm wondering if there's a better blanket-approach to this, where 
> I don't have to explicitly declare every possible "unsafe" file 
> extension every time (or conversely, declare all possible "safe" 
> extensions). I just simply want to prohibit anything that may be 
> interpreted or executed in the given dir; I feel like there oughtta be 
> another way to look at it. Anyone?
> 
> Thanks!
> rob
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org