[pmwiki-users] Disallow scripts in upload directories, was: PmWiki 2.2.49 released

Oliver Betz list_ob at gmx.net
Sat Mar 9 15:01:35 CST 2013

Petko Yotov wrote:

>This version adds an array $UploadBlacklist containing forbidden strings of  
>an uploaded filename (case insensitive).
>Some Apache installations try to execute a file which has ".php", ".pl" or  
>".cgi" anywhere in the filename, for example, "test.php.txt" may be  
>executed. To disallow such files to be uploaded via the PmWiki interface,  
>add to config.php such a line:
>  $UploadBlacklist = array('.php', '.pl', '.cgi');

Thanks for this option, Petko.

In addition, I suggest to completely disallow execution of scripts in
upload directories.

For Apache .htaccess I found:

"Options -ExecCGI" - that's very effective in usual virtual hosting
environments but doesn't help for languages running as module.

"SetHandler default-handler" works also for script languages running
as module.

Before I add this information to the PmWiki documentation, I would
appreciate comments from people with better Apache knowledge.

Oliver Betz, Munich http://oliverbetz.de/

More information about the pmwiki-users mailing list