| Summary: |
Add access restrictions for clipart incoming directory |
| Product: |
freedesktop.org
|
Reporter: |
Bryce Harrington <bryce> |
| Component: |
Website | Assignee: |
fd.o Admin Massive <sitewranglers> |
| Status: |
RESOLVED
FIXED
|
QA Contact: |
|
| Severity: |
normal
|
|
|
| Priority: |
high
|
|
|
| Version: |
unspecified | |
|
| Hardware: |
Other | |
|
| OS: |
Linux (All) | |
|
| Whiteboard: |
|
|
i915 platform:
|
|
i915 features:
|
|
|---|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Hi, Can you add the following restrictions to the Apache configuration for the openclipart site? It appears that .htaccess does not allow adding these parameters locally. <Directory "/srv/clipart.freedesktop.org/clipart_web/incoming*"> AllowOverride None # Serve HTML as plaintext AddType text/plain .html .htm .shtml # Don't run arbitrary PHP code. php_admin_flag engine off # Disable other script types <Files ~ "\.(php|php3|php4|phps|phtml|shtm|shtml|cgi|pl|pm|asp|cfm|js|jse| jsp|jar|py|exe|com|bat|dll|pif|scr|reg|inf|htaccess)$"> order allow,deny deny from all </Files> </Directory> While we check that uploaded files are .svg's during upload, this would give a stronger measure of security by preventing them from being executed. To test the change, this URL: http://openclipart.org/incoming/contact.php should return the php as non-executed plain text, not as a web page. Thanks, Bryce