You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by rob gwin <ro...@earthlink.net> on 2004/03/18 23:43:03 UTC
[users@httpd] Best directive for prohibiting all script access
Hi, I've got a bunch of php apps running on redhat/apache1.3. Sometimes
a client of mine needs an ftp dir somewhere in the webroot so they can
upload images, html files, etc, and I want to prevent them from running
any sort of script there. So far I've figured out that I can nest a
<Files> inside a <Directory> for something like this:
<Directory /path/to/the/dir>
<FilesMatch "\.(php|php3|php4|phtml)$">
Deny from all
</FilesMatch>
</Directory>
..But I'm wondering if there's a better blanket-approach to this, where
I don't have to explicitly declare every possible "unsafe" file
extension every time (or conversely, declare all possible "safe"
extensions). I just simply want to prohibit anything that may be
interpreted or executed in the given dir; I feel like there oughtta be
another way to look at it. Anyone?
Thanks!
rob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Best directive for prohibiting all script access
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 18 Mar 2004, rob gwin wrote:
> ..But I'm wondering if there's a better blanket-approach to this, where
> I don't have to explicitly declare every possible "unsafe" file
> extension every time (or conversely, declare all possible "safe"
> extensions). I just simply want to prohibit anything that may be
> interpreted or executed in the given dir; I feel like there oughtta be
> another way to look at it. Anyone?
You can use
SetHandler default-handler
to turn off any fancy handlers. But this probably won't work if you are
using magic-mime-types (like application/x-php-whatever) to configure your
scripts.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Best directive for prohibiting all script access
Posted by Daniel Guido <in...@speakeasy.net>.
well why dont you explicity DECLARE the only places you WANT scripts
instead of the other way around?
dan
rob gwin wrote:
> Hi, I've got a bunch of php apps running on redhat/apache1.3. Sometimes
> a client of mine needs an ftp dir somewhere in the webroot so they can
> upload images, html files, etc, and I want to prevent them from running
> any sort of script there. So far I've figured out that I can nest a
> <Files> inside a <Directory> for something like this:
>
> <Directory /path/to/the/dir>
> <FilesMatch "\.(php|php3|php4|phtml)$">
> Deny from all
> </FilesMatch>
> </Directory>
>
> ..But I'm wondering if there's a better blanket-approach to this, where
> I don't have to explicitly declare every possible "unsafe" file
> extension every time (or conversely, declare all possible "safe"
> extensions). I just simply want to prohibit anything that may be
> interpreted or executed in the given dir; I feel like there oughtta be
> another way to look at it. Anyone?
>
> Thanks!
> rob
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org