homepage Welcome to WebmasterWorld Guest from 54.226.191.80
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Blocking additional .htaccess in sub-directories
adrianTNT




msg:4186085
 5:56 pm on Aug 12, 2010 (gmt 0)

I have a main .htaccess in my site root and I have a folder e.g /user_uploads/01, /user_uploads/02, etc where I want to block additional .htaccess from being processed.
Can I do this from my main htaccess in site root?

 

jdMorgan




msg:4186102
 6:08 pm on Aug 12, 2010 (gmt 0)

No. You can stop mod_rewrite in those subdirectory .htaccess files from being processed, but this control is not available for other modules.

If you only need to stop mod_rewrite execution, see the mod_rewrite "RewriteOptions" directive and turn off "inherit".

Jim

adrianTNT




msg:4186123
 6:48 pm on Aug 12, 2010 (gmt 0)

Maybe I asked this the wrong way.
Actually I am trying to block scripts to run in the user uploads area (by redirecting any .php, .asp, etc to site root), but I found that if user uploads another .htaccess then it is allowed to overwrite my scripts redirect that I had in main .htaccess.

So asking it differently now:
What directives can I use in main .htaccess file in order to prevent all scripts to run in user uploads folders like /user_uploads/01, /user_uploads/02, etc ?

Thanks.

jdMorgan




msg:4186199
 10:44 pm on Aug 12, 2010 (gmt 0)

.htaccess is not a script.

You need to prevent all of these filetypes from being uploaded by modifying the "uploader" script to forbid the use of any but the filenames/filetypes that your are willing to allow.

Also set the file permissions so that the files in the upload directory are not executable.

You need a *very good* "uploader" script if you want to prevent your server from being hacked within a few hours...

Jim

adrianTNT




msg:4186211
 11:38 pm on Aug 12, 2010 (gmt 0)

Renaming files was what I used until now, but I thought there must be some more elegant, more direct way than just brush all files each time a user uploads or edits the current files.

For now I am renaming the files with extensions: htaccess,asp,cgi,jsp,php,php3,php4,php5,php6 , do you think this should be safe enough ?
mail.php would become mail.php_safe

If not, I would also try editing the file permission codes but I do not think that works well, in case I move files on another server I permission code might change and expose files. And I want to display other extensions to users, like index.html files, images, etc.
Would this renaming be ok?

encyclo




msg:4186228
 12:02 am on Aug 13, 2010 (gmt 0)

Don't allow uploading into your site root would be a better approach IMO. You could create a subdomain eg. users.example.com, as a VirtualHost with an entirely separate document root, use RemoveHandler etc. to disable the parsing of PHP and other such files, and use
AllowOverride none to disallow .htaccess files - in short, lock it down as much as possible.

[httpd.apache.org...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved