[pmwiki-users] Disallow scripts in upload directories
list_ob at gmx.net
Sun Mar 31 08:16:06 CDT 2013
Petko Yotov wrote:
>One of the shared hostings I can test appears to have no way to prevent the
>execution of a file.php.txt. They have some custom modified version of
>Apache with PHP/FastCGI and "Options -ExecCGI" does nothing,
>"SetHandler ...", "AddType ...", "ForceType ..." and other suggested
>solutions cause internal server error.
>This is indeed a serious concern if a wiki allows uploads from not
>completely trusted persons. I would advise to either disable uploads from
in this case, I would set $EnableDirectDownload=0; and use a directory
outside DocumentRoot or disallow any access to files in this
>not completely trusted editors or upgrade to the most recent version and
>configure the $UploadBlocklist array.
I suggest to preconfigure $UploadBlacklist in sample-config.php,
otherwise many users will not care about.
In addition to the already mentioned '.php', '.pl', '.cgi' I would
include at least:
.py, .htm, .shtm, .phtm, .pcgi, .asp, .js, .jsp, .sh
If I understand the code correctly, a ".php" entry prevents also .php4
I think it would be a good idea to include also a warning in
sample-config.php about disabling script execution by .htaccess if
$EnableDirectDownload is set.
Oliver Betz, Munich http://oliverbetz.de/
More information about the pmwiki-users