使用 .htaccess 禁用目录的所有 CGI(php、perl 等) [英] Disable all CGI (php, perl, …) for a directory using .htaccess
问题描述
我有一个用户可以上传文件的目录.
I have a directory where users can upload files.
为了避免安全问题(例如有人上传恶意 php 脚本),我目前通过附加 .data
来更改文件的扩展名,但是在下载文件时,他们必须手动删除.data
.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data
for example, but then when downloading the file, they have to manually remove the .data
.
另一种常见的解决方案是将文件上传到非 Apache 服务的目录中,并且使用 php 脚本管理所有下载 通过调用 readfile()
.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile()
.
我想做的是简单地禁止在上传文件夹中执行任何脚本(php、perl、cgi 脚本,无论我将来可能安装什么).此 SO 答案 建议在该文件夹的 .htaccess
文件中添加以下行:>
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess
file in that folder:
SetHandler default-handler
但是,在我的情况下,这没有任何影响(我放在该文件夹中的示例 php 脚本仍会执行).我做错了什么?
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
这台机器是一台运行 Debian GNU/Linux 6.0.7 (squeeze)
的 VPS(虚拟专用服务器),据我所知(我记下了我在该服务器上运行的所有命令,所以我的记忆"应该非常准确),我没有更改 apache2 配置中的任何内容,从运行 sudo apt-get install php5
开始,并创建文件 /etc/apache2/sites-enabled/mysite.com
包含以下内容:
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze)
, and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5
, and creating the the file /etc/apache2/sites-enabled/mysite.com
with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
推荐答案
把它放在你的 .htaccess
中:
<Files *>
# @mivk mentionned in the comments that this may break
# directory indexes generated by Options +Indexes.
SetHandler default-handler
</Files>
但这有一些安全漏洞:可以在子目录中上传 .htaccess 文件,并覆盖这些设置,它们也可能覆盖 .htaccess 文件本身!
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
如果您怀疑该选项的行为将来会发生变化,请将其放在您的/etc/apache2/sites-enabled/mysite.com
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
如果不能修改apache的配置,那么把文件放在.htaccess
中,目录结构如下:
If you can't modify the apache configuration, then put the files in a .htaccess
with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
那样,没有人应该能够覆盖您的 .../protected/.htaccess
文件,因为他们上传的内容位于 .../protected
的子目录中,不在 protected
本身中.
That way, nobody should be able to overwrite your .../protected/.htaccess
file since their uploads go in a subdirectory of .../protected
, not in protected
itself.
AFAICT,你应该很安全.
AFAICT, you should be pretty safe with that.
这篇关于使用 .htaccess 禁用目录的所有 CGI(php、perl 等)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!