Will this work for an Image Upload directory?

[Amanda<3]

Basically, i've been trying to come up with something that will disable execution of scripts, but still allow execution of image files. This is an Apache .htaccess file i've came up with... I'm not sure if it's any good as i'm only fairly good at .htaccess stuff:

DirectoryIndex -Options All -Indexes

RemoveHandler .php .phtml .php3 .jsp .asp .sh .cgi
RemoveType .php .phtml .php3 .jsp .asp .sh .cgi      

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^.*\.(jpg|jpeg|gif|png)$ [NC] 
RewriteRule ^(.*)$ - [F,L]

 

The first line is *supposed* to disable all the index files that are set in httpd.conf, of course only for this directory.

The second line disables indexing, so since we don't have an index file, we don't have the folders contents listed.

The next two lines are *supposed* to disable execution of many types of scripts, on the odd chance someone actually figures out how to slip code into a gif file, even though the uploader checks the mime type, extension, and some other things.

The last 4 lines are basically checking the REQUEST_URI. The request uri is... Say you visit index.php, the request uri is index.php.

What the rewrite does is checks the uri for anything, and then a file extension of either .jpg, .jpeg, .gif, or .png; If it passes, either an image is given ( if it exists ), or a 404 ( if it doesn't exist ). If the extension is not of the above, in theory it is supposed to ( and it does work, just not sure if its the best way ) give a 403 Forbidden page.

[a_bertrand]

Isn't it much safer and smarter to actually check the file when you upload it? Sorry but I don't find all that really useful.