[pLog-svn] r6280 - in plog/branches/lifetype-1.2: gallery plugins

jondaley at devel.lifetype.net jondaley at devel.lifetype.net
Sat Mar 29 17:43:01 EDT 2008 

Author: jondaley
Date: 2008-03-29 17:43:00 -0400 (Sat, 29 Mar 2008)
New Revision: 6280

Modified:
   plog/branches/lifetype-1.2/gallery/.htaccess
   plog/branches/lifetype-1.2/plugins/.htaccess
Log:
tighten up security on directories that need public access, but shouldn't allow executable scripts

Modified: plog/branches/lifetype-1.2/gallery/.htaccess
===================================================================
--- plog/branches/lifetype-1.2/gallery/.htaccess	2008-03-29 20:07:30 UTC (rev 6279)
+++ plog/branches/lifetype-1.2/gallery/.htaccess	2008-03-29 21:43:00 UTC (rev 6280)
@@ -1,15 +1,20 @@
-<Files "*.php">
+# case insensitive file matching.  See conversations on the svn list circa 2008-03-29
+# regarding this setting.  It is basically impossible to get this string perfect,
+# and so there is an inherent security risk of allowing untrusted users to upload
+# files
+<Files ~ "/\.(php|php3|php4|php5|php6|pht|php3p|phtml|htm|html|pl|py|pyc|pyo|rb|cgi)$/i">
  Order allow,deny
  Deny from all
 </Files>
 
-<Files "*.htm">
- Order allow,deny
- Deny from all
-</Files>
 
-<Files "*.html">
- Order allow,deny
- Deny from all
-</Files>
-
+# to be more secure, you can deny access to all files
+# and then only allow access to specific extensions
+#<Files "*">
+# Order allow,deny
+# Deny from all
+#</Files>
+#
+#<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
+#  Allow from all
+#</Files>

Modified: plog/branches/lifetype-1.2/plugins/.htaccess
===================================================================
--- plog/branches/lifetype-1.2/plugins/.htaccess	2008-03-29 20:07:30 UTC (rev 6279)
+++ plog/branches/lifetype-1.2/plugins/.htaccess	2008-03-29 21:43:00 UTC (rev 6280)
@@ -1,5 +1,20 @@
-<Files "*.php">
+# case insensitive file matching.  See conversations on the svn list circa 2008-03-29
+# regarding this setting.  It is basically impossible to get this string perfect,
+# and so there is an inherent security risk of allowing untrusted users to upload
+# files
+<Files ~ "/\.(php|php3|php4|php5|php6|pht|php3p|phtml|htm|html|pl|py|pyc|pyo|rb|cgi)$/i">
  Order allow,deny
  Deny from all
 </Files>
 
+
+# to be more secure, you can deny access to all files
+# and then only allow access to specific extensions
+#<Files "*">
+# Order allow,deny
+# Deny from all
+#</Files>
+#
+#<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
+#  Allow from all
+#</Files>

More information about the pLog-svn mailing list