禁用所有的CGI（PHP，PERL，...）使用的.htaccess目录 [英] Disable all CGI (php, perl, …) for a directory using .htaccess

问题描述

我有，用户可以上传文件的目录。

要避免安全问题（如某人上传恶意PHP脚本）下载文件时，我正在改变文件的扩展名被追加 .DATA 为例，但随后，他们必须手动删除 .DATA 。

另一种常见的解决方案是上传文件，而并非由Apache的服务目录，并有一个PHP脚本管理所有下载致电的ReadFile（）。

我想要做的是简单地禁止执行任何脚本（PHP，PERL，CGI脚本，无论我可能会在将来安装）在上传文件夹中。 这SO回答建议添加在的.htaccess 文件中的以下行该文件夹中：

  SetHandler默认处理程序
 

不过，在我的情况下，这没有任何影响（仍在执行的例子PHP脚本，我把该文件夹中）。我究竟做错了什么？

Apache的配置

本机是一个VPS（虚拟专用服务器）上运行的Debian GNU / Linux的6.0.7（挤），而据我记得（我记下所有的我的命令该服务器上运行，所以我的记忆应该是pretty的准确），我dindn't中的Apache2配置改变什么，APPART从运行命令和apt-get安装PHP5 ，并创建文件 /etc/apache2/sites-enabled/mysite.com 包含以下内容：

 ＆LT;虚拟主机*：80＆GT;
  的ServerAdmin网站管理员@本地
  服务器名mysite.com
  ServerAlias​​ www.mysite.com

  DocumentRoot的/home/me/www/mysite.com/www/
  ＆LT;目录/＆GT;
    有FollowSymLinks
    设置AllowOverride所有
  ＆LT; /目录＆GT;
  ＆LT;目录/home/me/www/mysite.com/www/>
    选择了FollowSymLinks指标多视图
    设置AllowOverride所有
    订购允许，拒绝
    允许所有
  ＆LT; /目录＆GT;

  错误日志$ {APACHE_LOG_DIR} /error.log

  ＃可能的值包括：调试，信息，通知，警告，错误，暴击，
  ＃警觉，EMERG。
  日志级别警告

  的CustomLog $ {APACHE_LOG_DIR} /access.log组合
＆LT; /虚拟主机＆GT;
 

解决方案

在将这个你的.htaccess ：

 ＆LT;文件*＆GT;
    SetHandler默认处理程序
＆LT; /文件＆GT;
 

但是，这有几个安全漏洞：可以上传的.htaccess的一个子目录，并覆盖这些设置，它们也可能覆盖的.htaccess文件本身

如果你是偏执该选项的行为应该改变​​未来，把它放进你的 /etc/apache2/sites-enabled/mysite.com

 ＆LT;目录为/ home / ME / WWW /上传/＆GT;
            ＃重要的安全性，prevents从别人
            ＃上传恶意的.htaccess
            设置AllowOverride无

            SetHandler无
            SetHandler默认处理程序

            选项​​-ExecCGI
            的php_flag停机
            RemoveHandler cgi的.PHP .php3 .php4 .php5 .phtml作为特等的.py的.pyc .pyo
            ＆LT;文件*＆GT;
                    设置AllowOverride无

                    SetHandler无
                    SetHandler默认处理程序

                    选项​​-ExecCGI
                    的php_flag停机
                    RemoveHandler cgi的.PHP .php3 .php4 .php5 .phtml作为特等的.py的.pyc .pyo
            ＆LT; /文件＆GT;
    ＆LT; /目录＆GT;
 

如果您不能修改Apache的配置，然后将文件放在一个的.htaccess 与下面的目录结构：

  /家/我/ WWW /
          |  -  myuploadscript.php
          |  - 保护/
              |  - 的.htaccess
              |  - 上传/
                  |  - 上传的文件放在这里
 

这样的话，没有人应该能够覆盖你的 ... /保护/的.htaccess 文件，因为它们上传进去的子目录。 ../保护，而不是保护本身。

AFAICT，你应该是pretty的安全这一点。

I have a directory where users can upload files.

To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.

Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().

What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:

SetHandler default-handler

However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?

Apache configuration

The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  ServerName  mysite.com
  ServerAlias www.mysite.com

  DocumentRoot /home/me/www/mysite.com/www/
  <Directory />
    Options FollowSymLinks
    AllowOverride All 
  </Directory>
  <Directory /home/me/www/mysite.com/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All 
    Order allow,deny
    allow from All
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

解决方案

Put this in your .htaccess:

<Files *>
    SetHandler default-handler
</Files>

But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!

If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com

    <Directory /home/me/www/upload/>
            # Important for security, prevents someone from
            # uploading a malicious .htaccess
            AllowOverride None

            SetHandler none
            SetHandler default-handler

            Options -ExecCGI
            php_flag engine off
            RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
            <Files *>
                    AllowOverride None

                    SetHandler none
                    SetHandler default-handler

                    Options -ExecCGI
                    php_flag engine off
                    RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
            </Files>
    </Directory>

If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:

/home/me/www/
          |- myuploadscript.php
          |- protected/
              |- .htaccess
              |- upload/
                  |- Uploaded files go here

That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.

AFAICT, you should be pretty safe with that.

这篇关于禁用所有的CGI（PHP，PERL，...）使用的.htaccess目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！