[pLog-svn] r6276 - in plog/branches/lifetype-1.2/class: data/validator misc template test/tests/misc
Jon Daley
plogworld at jon.limedaley.com
Sat Mar 29 16:41:44 EDT 2008
Hrm. I was working on this, but it can really be a whole lot of
things. For instance, lots of places allow php3 php4 php5 to specify the
php version. And phtml seems to be a standard as well.
Maybe we need a deny all, and only allow specific things, and
users can add extensions to it as they want to?
<Files "*">
Order allow,deny
Deny from all
</Files>
<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
Allow from all
</Files>
That method seems like a pretty big pain, but I don't know how else to do
it securely. How about getting apache to allow serve the content as a
binary application with a forcetype or something?
On Sat, 29 Mar 2008, Jon Daley wrote:
> That sounds good to me.
>
> On Sun, 30 Mar 2008, Mark Wu wrote:
>
>> According to apache document.
>>
>> Add type is case-sensitive.
>>
>> If we really want more strict protection, maybe we can change the <files>
>> section to the following regular expression:
>>
>> <Files ~ "/\.(php|html|html|pl|py)$/i">
>>
>> Mark
>>
>>> -----Original Message-----
>>> From: plog-svn-bounces at devel.lifetype.net
>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>> Sent: Sunday, March 30, 2008 1:18 AM
>>> To: LifeType Developer List
>>> Subject: Re: [pLog-svn] r6276 - in
>>> plog/branches/lifetype-1.2/class: data/validator misc
>>> template test/tests/misc
>>>
>>> Can someone else check if test.PHP works on their
>>> system? And then check if it works inside the gallery directory?
>>> I don't know why apache is matching *.PHP in:
>>> "AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml"
>>> but not matching *.PHP in "<Files *.php>" in the gallery .htaccess.
>>>
>>> Maybe it only affects people running suphp, that'd be
>>> really nice.
>>>
>>> I wonder if the hosts that disallow .htaccess modifications
>>> are in this case, less secure, because the <Files *.php>Deny
>>> all</Files> in the gallery would have blocked it.
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> Even if you're on the right track,
> you'll get run over if you just sit there.
> -- Will Rogers
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com/
For every action, there is an equal and opposite criticism.
-- Harrison's Postulate
More information about the pLog-svn
mailing list