禁用所有的CGI(PHP,PERL,...)使用的.htaccess目录 [英] Disable all CGI (php, perl, …) for a directory using .htaccess
问题描述
我有,用户可以上传文件的目录。
要避免安全问题(如某人上传恶意PHP脚本)下载文件时,我正在改变文件的扩展名被追加 .DATA
为例,但随后,他们必须手动删除 .DATA
。
另一种常见的解决方案是上传文件,而并非由Apache的服务目录,并有一个PHP脚本管理所有下载致电的ReadFile()
。
我想要做的是简单地禁止执行任何脚本(PHP,PERL,CGI脚本,无论我可能会在将来安装)在上传文件夹中。 这SO回答建议添加在的.htaccess
文件中的以下行该文件夹中:
SetHandler默认处理程序
不过,在我的情况下,这没有任何影响(仍在执行的例子PHP脚本,我把该文件夹中)。我究竟做错了什么?
Apache的配置
本机是一个VPS(虚拟专用服务器)上运行的Debian GNU / Linux的6.0.7(挤)
,而据我记得(我记下所有的我的命令该服务器上运行,所以我的记忆应该是pretty的准确),我dindn't中的Apache2配置改变什么,APPART从运行命令和apt-get安装PHP5
,并创建文件 /etc/apache2/sites-enabled/mysite.com
包含以下内容:
<虚拟主机*:80>
的ServerAdmin网站管理员@本地
服务器名mysite.com
ServerAlias www.mysite.com
DocumentRoot的/home/me/www/mysite.com/www/
<目录/>
有FollowSymLinks
设置AllowOverride所有
< /目录>
<目录/home/me/www/mysite.com/www/>
选择了FollowSymLinks指标多视图
设置AllowOverride所有
订购允许,拒绝
允许所有
< /目录>
错误日志$ {APACHE_LOG_DIR} /error.log
#可能的值包括:调试,信息,通知,警告,错误,暴击,
#警觉,EMERG。
日志级别警告
的CustomLog $ {APACHE_LOG_DIR} /access.log组合
< /虚拟主机>
在将这个你的.htaccess
:
<文件*>
SetHandler默认处理程序
< /文件>
但是,这有几个安全漏洞:可以上传的.htaccess的一个子目录,并覆盖这些设置,它们也可能覆盖的.htaccess文件本身
如果你是偏执该选项的行为应该改变未来,把它放进你的 /etc/apache2/sites-enabled/mysite.com
<目录为/ home / ME / WWW /上传/>
#重要的安全性,prevents从别人
#上传恶意的.htaccess
设置AllowOverride无
SetHandler无
SetHandler默认处理程序
选项-ExecCGI
的php_flag停机
RemoveHandler cgi的.PHP .php3 .php4 .php5 .phtml作为特等的.py的.pyc .pyo
<文件*>
设置AllowOverride无
SetHandler无
SetHandler默认处理程序
选项-ExecCGI
的php_flag停机
RemoveHandler cgi的.PHP .php3 .php4 .php5 .phtml作为特等的.py的.pyc .pyo
< /文件>
< /目录>
如果您不能修改Apache的配置,然后将文件放在一个的.htaccess
与下面的目录结构:
/家/我/ WWW /
| - myuploadscript.php
| - 保护/
| - 的.htaccess
| - 上传/
| - 上传的文件放在这里
这样的话,没有人应该能够覆盖你的 ... /保护/的.htaccess
文件,因为它们上传进去的子目录。 ../保护
,而不是保护
本身。
AFAICT,你应该是pretty的安全这一点。
I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data
for example, but then when downloading the file, they have to manually remove the .data
.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile()
.
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess
file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze)
, and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5
, and creating the the file /etc/apache2/sites-enabled/mysite.com
with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Put this in your .htaccess
:
<Files *>
SetHandler default-handler
</Files>
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
If you can't modify the apache configuration, then put the files in a .htaccess
with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess
file since their uploads go in a subdirectory of .../protected
, not in protected
itself.
AFAICT, you should be pretty safe with that.
这篇关于禁用所有的CGI(PHP,PERL,...)使用的.htaccess目录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!