how to disable php on a per folder basis?

[Red Squirrel]

I want to disable php/cgi in upload directories so people can't just upload .php files and screw around with my server. I can't seem to figure out how to do this.

I tried

php_admin_flag engine off

but I just get internal server error.

 

[Nothinman]

I don't know that you can disable it completely but you should be able to remove the .php association with RemoveType.

 

[Red Squirrel]

That does not seem to work, think the addtype takes precedence or something. No internal server error or anything, it just does not work. To ensure the htaccess file is being checked I tried putting deny from all and it worked.

Anything else that could work?

 

[Brazen]

Though I have only a cursory understanding of it, you could probably disable access to .php files using rewrite rules to direct any requests for .php pages to somewhere else.

 

[Nothinman]

Though I have only a cursory understanding of it, you could probably disable access to .php files using rewrite rules to direct any requests for .php pages to somewhere else.

But redirect them to where?

 

[Brazen]

Originally posted by: Nothinman

Though I have only a cursory understanding of it, you could probably disable access to .php files using rewrite rules to direct any requests for .php pages to somewhere else.

But redirect them to where?

wherever you want. Could be some static page solely for this purpose, or maybe redirect to the index page, or the page with the same name but an html extension instead of php.

 

[Nothinman]

wherever you want. Could be some static page solely for this purpose, or maybe redirect to the index page, or the page with the same name but an html extension instead of php.

But he only wants to disable PHP for certain directories so if he redirects all PHP pages to the same place he'll need some handler to decide if the page should be executed or not.

 

[sciencewhiz]

mod_rewrite is flexible enough that you can rules about what directories to allow and what to rewrite directly, no need to for a second handler.

Try this: http://www.faqts.com/knowledge...w.phtml/aid/128/fid/35

 

[Brazen]

Originally posted by: Nothinman

wherever you want. Could be some static page solely for this purpose, or maybe redirect to the index page, or the page with the same name but an html extension instead of php.

But he only wants to disable PHP for certain directories so if he redirects all PHP pages to the same place he'll need some handler to decide if the page should be executed or not.

You just put the rewrite rule in the htaccess file for the directories that you want php disabled.

Or as sciencewhiz said, you could put it in your main httpd.conf and have it applied to only the directories you want, either with <Directory> attributes or it should be possible to do directory matching within the rewrite rule itself.

I figured that was all obviuos, that's why I didn't spell it out.

 

[Nothinman]

You just put the rewrite rule in the htaccess file for the directories that you want php disabled.

And then the user's can either edit or delete the htaccess file to remove the "protection".

Not that I think it's a completely impossible task but it sure as hell seems like the wrong direction to attack the problem. How about just properly securing the server so that no real damage can be done via the PHP scripts? Or not even giving people that you don't trust accounts with which to upload scripts. Or if you must give them accounts give them virtual servers so that the only environment that they can affect is their own?

 

[Brazen]

Originally posted by: Nothinman

You just put the rewrite rule in the htaccess file for the directories that you want php disabled.

And then the user's can either edit or delete the htaccess file to remove the "protection".

Not that I think it's a completely impossible task but it sure as hell seems like the wrong direction to attack the problem. How about just properly securing the server so that no real damage can be done via the PHP scripts? Or not even giving people that you don't trust accounts with which to upload scripts. Or if you must give them accounts give them virtual servers so that the only environment that they can affect is their own?

Are you telling me or the OP? I'm just answering his question; don't tase me bro!

and it is possible to allow uploads into a folder, but not allow permission to change the htaccess file.

 

[Nothinman]

Are you telling me or the OP? I'm just answering his question; don't tase me bro!

The OP.

and it is possible to allow uploads into a folder, but not allow permission to change the htaccess file.

But if you can write to the directory you can also delete files in it.

 

[kamper]

Originally posted by: Nothinman

Are you telling me or the OP? I'm just answering his question; don't tase me bro!

The OP.

and it is possible to allow uploads into a folder, but not allow permission to change the htaccess file.

But if you can write to the directory you can also delete files in it.

Which is why you'd naturally put this in httpd.conf in a <Directory> section. Not that I think using a url rewrite is a particularly good idea, but that's what you'd want to do if using the RemoveType directive.

 

[Brazen]

Originally posted by: Nothinman

Are you telling me or the OP? I'm just answering his question; don't tase me bro!

The OP.

I'll let him defend whatever he does then Although it seems he may have abandoned this thread.

and it is possible to allow uploads into a folder, but not allow permission to change the htaccess file.

But if you can write to the directory you can also delete files in it.

hmm, that would be a problem then.

 

[Red Squirrel]

Its not my server. Just trying to secure my forums, since upload folders (for avatars etc) have to upload to folders which are chmodded 777 allowing anyone to throw whatever they want in there if they compromize the server in another way (ex: another user's badly written script, or something)

So if whatever way, a php file makes its way to one of those folders, I want it to load up as plain text.

 

[sciencewhiz]

Originally posted by: RedSquirrel
Its not my server. Just trying to secure my forums, since upload folders (for avatars etc) have to upload to folders which are chmodded 777 allowing anyone to throw whatever they want in there if they compromize the server in another way (ex: another user's badly written script, or something)

So if whatever way, a php file makes its way to one of those folders, I want it to load up as plain text.

If your forum software allows any type of upload, you should be looking for a different software. Likewise if after the files are uploaded they are 777.

 

[Red Squirrel]

I can specify the types so the forum software itself does not allow it, though theres still the possibility of a file making it there through an exploit somewhere else on the server which I perhaps overlook, or have no control over. (shared hosting)

 

[Nothinman]

If a file gets uploaded as a result of an exploit in Apache then the likelihood of any directives in Apache being able to stop it are virtually zero.

 

[DaiShan]

You don't need to do this via .htaccess, in fact I generally recommend against .htaccess files if you have access to the httpd.conf file since you take a performance hit looking for .htaccess files. In your httpd.conf you can use the <Directory> directive to specify a RemoveType which I think should work (haven't tested) this way you don't have to worry about Nothinman's original objection

/edit

I would also make sure that you don't allow any overrides in that directory, and/or that you disable .htaccess for that directory so someone doesn't upload their own .htaccess to get around your httpd.conf entry.

 

[Red Squirrel]

I don't have access to the main conf file, its a shard hosting server. Otherwise I'd do it through that and just have a general upload folder for that type of stuff then disable php in it.

 

[Jaskalas]

Place the .htaccess file in a directory above the one you want to secure. Then they cannot control it.