[Pmwiki-users] Re: more thoughts on .htaccess

Neil Herber nospam
Tue Dec 7 06:00:14 CST 2004


At 2004-12-07  01:26 PM +0100, Joachim Durchholz is rumored to have said:
>Gunnar Wagenknecht wrote:
>>What you wanna do is to disallow some file extensions and to downgrade 
>>scripts (php) to text files.
>>AddType text/plain .php
>
>This doesn't help - all it does is instruct Apache to consider the output 
>from the PHP script as text/plain. You have to use the AddHandler 
>directive to disable scripting. (There's a handler that will convert PHP 
>source code to nicely syntax-highlighted and nl2br-converted HTML code, 
>which is usually associated with .phps files - I forgot its name, but 
>Google should find it easily; I'd expect that it comes with the mod_php 
>module and would be perfect for preventing .php files from executing, just 
>associate that handler with .php and .php3 instead of the usual PHP handler.)
>
>Actually it's better to disallow downloads in general, then the handler 
>associated with .php files doesn't matter.

I presume you mean to disallow uploads.

This might be excessively restrictive as long as the only upload method is 
via PmWiki. It provides some protection by limiting the allowable 
extensions on an upload as well as limiting the size of the upload. I was 
initially concerned to see that ".exe" was an allowable extension in the 
defaults, but that does not seem to pose any danger to the server. It 
certainly could pose a danger to a client who downloads the ".exe".


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668 




More information about the pmwiki-users mailing list