Amanda<3 Posted February 17, 2011 Share Posted February 17, 2011 Basically, i've been trying to come up with something that will disable execution of scripts, but still allow execution of image files. This is an Apache .htaccess file i've came up with... I'm not sure if it's any good as i'm only fairly good at .htaccess stuff: DirectoryIndex -Options All -Indexes RemoveHandler .php .phtml .php3 .jsp .asp .sh .cgi RemoveType .php .phtml .php3 .jsp .asp .sh .cgi RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} !^.*\.(jpg|jpeg|gif|png)$ [NC] RewriteRule ^(.*)$ - [F,L] The first line is *supposed* to disable all the index files that are set in httpd.conf, of course only for this directory. The second line disables indexing, so since we don't have an index file, we don't have the folders contents listed. The next two lines are *supposed* to disable execution of many types of scripts, on the odd chance someone actually figures out how to slip code into a gif file, even though the uploader checks the mime type, extension, and some other things. The last 4 lines are basically checking the REQUEST_URI. The request uri is... Say you visit index.php, the request uri is index.php. What the rewrite does is checks the uri for anything, and then a file extension of either .jpg, .jpeg, .gif, or .png; If it passes, either an image is given ( if it exists ), or a 404 ( if it doesn't exist ). If the extension is not of the above, in theory it is supposed to ( and it does work, just not sure if its the best way ) give a 403 Forbidden page. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted February 18, 2011 Share Posted February 18, 2011 Isn't it much safer and smarter to actually check the file when you upload it? Sorry but I don't find all that really useful. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.