I have a main .htaccess in my site root and I have a folder e.g /user_uploads/01, /user_uploads/02, etc where I want to block additional .htaccess from being processed. Can I do this from my main htaccess in site root?
6:08 pm on Aug 12, 2010 (gmt 0)
No. You can stop mod_rewrite in those subdirectory .htaccess files from being processed, but this control is not available for other modules.
If you only need to stop mod_rewrite execution, see the mod_rewrite "RewriteOptions" directive and turn off "inherit".
6:48 pm on Aug 12, 2010 (gmt 0)
Maybe I asked this the wrong way. Actually I am trying to block scripts to run in the user uploads area (by redirecting any .php, .asp, etc to site root), but I found that if user uploads another .htaccess then it is allowed to overwrite my scripts redirect that I had in main .htaccess.
So asking it differently now: What directives can I use in main .htaccess file in order to prevent all scripts to run in user uploads folders like /user_uploads/01, /user_uploads/02, etc ?
10:44 pm on Aug 12, 2010 (gmt 0)
.htaccess is not a script.
You need to prevent all of these filetypes from being uploaded by modifying the "uploader" script to forbid the use of any but the filenames/filetypes that your are willing to allow.
Also set the file permissions so that the files in the upload directory are not executable.
You need a *very good* "uploader" script if you want to prevent your server from being hacked within a few hours...
11:38 pm on Aug 12, 2010 (gmt 0)
Renaming files was what I used until now, but I thought there must be some more elegant, more direct way than just brush all files each time a user uploads or edits the current files.
For now I am renaming the files with extensions: htaccess,asp,cgi,jsp,php,php3,php4,php5,php6 , do you think this should be safe enough ? mail.php would become mail.php_safe
If not, I would also try editing the file permission codes but I do not think that works well, in case I move files on another server I permission code might change and expose files. And I want to display other extensions to users, like index.html files, images, etc. Would this renaming be ok?
12:02 am on Aug 13, 2010 (gmt 0)
Don't allow uploading into your site root would be a better approach IMO. You could create a subdomain eg. users.example.com, as a VirtualHost with an entirely separate document root, use RemoveHandler etc. to disable the parsing of PHP and other such files, and use
to disallow .htaccess files - in short, lock it down as much as possible.