[pmwiki-users] Disallow scripts in upload directories

Petko Yotov 5ko at 5ko.fr
Fri Mar 22 22:51:09 CDT 2013

Oliver Betz writes:
> >I'd like to read some opinions from different people about this question -
> >if you can do some tests on your own servers, please find out what .htaccess
> >settings disallow script execution for the uploaded files on your wiki, and
> >report here.
> Strange that nobody cares.

One of the shared hostings I can test appears to have no way to prevent the  
execution of a file.php.txt. They have some custom modified version of  
Apache with PHP/FastCGI and "Options -ExecCGI" does nothing,  
"SetHandler ...", "AddType ...", "ForceType ..." and other suggested  
solutions cause internal server error.

This is indeed a serious concern if a wiki allows uploads from not  
completely trusted persons. I would advise to either disable uploads from  
not completely trusted editors or upgrade to the most recent version and  
configure the $UploadBlocklist array.

On another shared hosting the file.php.txt is not executed but causes  
internal server error which means that their default installation has some  
problem - the server tries to do something with this file instead of just  
serving it as plain text. Your proposed solution for .htaccess works though.

> BTW: I asked in the apache user mailing list about "Options -ExecCGI"
> and "SetHandler default-handler" but didn't get any reply.

The Apache documentation is excellent but there are a huge number of  
configuration options. On a particular installation not every option can  
be selected, and not every problem can be reproduced by the other users, and  
in that case the other users will not be able to help much. :-)


More information about the pmwiki-users mailing list