使用 .htaccess 禁用目录的所有 CGI(php、perl 等) [英] Disable all CGI (php, perl, …) for a directory using .htaccess

问题描述

我有一个用户可以上传文件的目录.

I have a directory where users can upload files.

为了避免安全问题(例如有人上传恶意 php 脚本)，我目前通过附加 .data 来更改文件的扩展名，但是在下载文件时，他们必须手动删除.data.

To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.

另一种常见的解决方案是将文件上传到非 Apache 服务的目录中，并且使用 php 脚本管理所有下载 通过调用 readfile().

Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().

我想做的是简单地禁止在上传文件夹中执行任何脚本(php、perl、cgi 脚本，无论我将来可能安装什么).此 SO 答案 建议在该文件夹的 .htaccess 文件中添加以下行:>

What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:

SetHandler default-handler

但是，在我的情况下，这没有任何影响(我放在该文件夹中的示例 php 脚本仍会执行).我做错了什么?

However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?

这台机器是一台运行 Debian GNU/Linux 6.0.7 (squeeze) 的 VPS(虚拟专用服务器)，据我所知(我记下了我在该服务器上运行的所有命令，所以我的记忆"应该非常准确)，我没有更改 apache2 配置中的任何内容，从运行 sudo apt-get install php5 开始，并创建文件 /etc/apache2/sites-enabled/mysite.com 包含以下内容:

The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  ServerName  mysite.com
  ServerAlias www.mysite.com

  DocumentRoot /home/me/www/mysite.com/www/
  <Directory />
    Options FollowSymLinks
    AllowOverride All 
  </Directory>
  <Directory /home/me/www/mysite.com/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All 
    Order allow,deny
    allow from All
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

推荐答案

把它放在你的 .htaccess 中:

<Files *>
    # @mivk mentionned in the comments that this may break
    # directory indexes generated by Options +Indexes.
    SetHandler default-handler
</Files>

但这有一些安全漏洞:可以在子目录中上传 .htaccess 文件，并覆盖这些设置，它们也可能覆盖 .htaccess 文件本身！

But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!

如果您怀疑该选项的行为将来会发生变化，请将其放在您的/etc/apache2/sites-enabled/mysite.com

If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com

    <Directory /home/me/www/upload/>
            # Important for security, prevents someone from
            # uploading a malicious .htaccess
            AllowOverride None

            SetHandler none
            SetHandler default-handler

            Options -ExecCGI
            php_flag engine off
            RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
            <Files *>
                    AllowOverride None

                    SetHandler none
                    SetHandler default-handler

                    Options -ExecCGI
                    php_flag engine off
                    RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
            </Files>
    </Directory>

如果不能修改apache的配置，那么把文件放在.htaccess中，目录结构如下:

If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:

/home/me/www/
          |- myuploadscript.php
          |- protected/
              |- .htaccess
              |- upload/
                  |- Uploaded files go here

那样，没有人应该能够覆盖您的 .../protected/.htaccess 文件，因为他们上传的内容位于 .../protected 的子目录中，不在 protected 本身中.

That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.

AFAICT，你应该很安全.

AFAICT, you should be pretty safe with that.

这篇关于使用 .htaccess 禁用目录的所有 CGI(php、perl 等)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！