Disabling ANY server side script in a directoy?

Discussion in 'Server Operation' started by edge, Jul 3, 2008.

  1. edge

    edge Active Member Moderator

    Hi all,

    I've got a client that needs a directory writable for his clients.
    The main website is in PHP, so disabling PHP for this client is not an option.

    I've created a .htaccess file within the writable directory with the following in it.
    RemoveType application/x-httpd-php php php3
    AddType text/html php php3
    The above .htaccess file does work, and when a client uploads php or php3 file, and runs it, it will show the file as text.
    Problem is that when he uploads it with extention php4 or php5 etc etc it will still run the php code!
    I could add a lot of extentions (php5, php6 ..), but this is not really an option.

    I will also need to stop .pl, /cgi and any other server side scripting language in this open writable directory!

    Anyone here who might have a good tip on how to do this?
  2. topdog

    topdog Active Member HowtoForge Supporter

    When you talk of running do you mean by the web server ? thats for the php code, as for the cgi scripts they will not run unless the directory is script aliased.
  3. edge

    edge Active Member Moderator

    Yes, by running it I'm talking about the web server (Apache)

    I really do not want clients to upload PHP code, and be able to execute it.
    The files that are uploaded to the "writable" directory are all owned by "www-data", so accessing the PHP files in the writable directory will be executed (run) by the Apache webserver.
    I need to stop this some way.
  4. topdog

    topdog Active Member HowtoForge Supporter

    I have not tested but i thought if you are running php as a module and have it configured with
    AddHandler php5-script .php
    it will not run index.php5 as a php file correct me if am wrong.

Share This Page