[pLog-svn] r6276 - in plog/branches/lifetype-1.2/class: data/validator misc template test/tests/misc

Jon Daley plogworld at jon.limedaley.com
Sat Mar 29 16:41:44 EDT 2008 

 	Hrm.   I was working on this, but it can really be a whole lot of 
things.  For instance, lots of places allow php3 php4 php5 to specify the 
php version.  And phtml seems to be a standard as well.
 	Maybe we need a deny all, and only allow specific things, and 
users can add extensions to it as they want to?

<Files "*">
  Order allow,deny
  Deny from all
</Files>

<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
   Allow from all
</Files>

That method seems like a pretty big pain, but I don't know how else to do 
it securely.  How about getting apache to allow serve the content as a 
binary application with a forcetype or something?


On Sat, 29 Mar 2008, Jon Daley wrote:

> 	That sounds good to me.
>
> On Sun, 30 Mar 2008, Mark Wu wrote:
>
>> According to apache document.
>> 
>> Add type is case-sensitive.
>> 
>> If we really want more strict protection, maybe we can change the <files>
>> section to the following regular expression:
>> 
>> <Files ~ "/\.(php|html|html|pl|py)$/i">
>> 
>> Mark
>> 
>>> -----Original Message-----
>>> From: plog-svn-bounces at devel.lifetype.net
>>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
>>> Sent: Sunday, March 30, 2008 1:18 AM
>>> To: LifeType Developer List
>>> Subject: Re: [pLog-svn] r6276 - in
>>> plog/branches/lifetype-1.2/class: data/validator misc
>>> template test/tests/misc
>>>
>>>  	Can someone else check if test.PHP works on their
>>> system?  And then check if it works inside the gallery directory?
>>>  	I don't know why apache is matching *.PHP in:
>>> "AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml"
>>> but not matching *.PHP in "<Files *.php>" in the gallery .htaccess.
>>>
>>>  	Maybe it only affects people running suphp, that'd be
>>> really nice.
>>> 
>>> I wonder if the hosts that disallow .htaccess modifications
>>> are in this case, less secure, because the <Files *.php>Deny
>>> all</Files> in the gallery would have blocked it.
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>> 
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>> 
>
> -- 
> Jon Daley
> http://jon.limedaley.com/
>
> Even if you're on the right track,
> you'll get run over if you just sit there.
> -- Will Rogers
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com/

For every action, there is an equal and opposite criticism.
-- Harrison's Postulate

More information about the pLog-svn mailing list