Bug 4986 - Add access restrictions for clipart incoming directory
Add access restrictions for clipart incoming directory
Status: RESOLVED FIXED
Product: freedesktop.org
Classification: Unclassified
Component: Website
unspecified
Other Linux (All)
: high normal
Assigned To: fd.o Admin Massive
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-07 15:05 UTC by Bryce Harrington
Modified: 2005-11-20 19:29 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bryce Harrington 2005-11-07 15:05:33 UTC
Hi,  
  
Can you add the following restrictions to the Apache configuration for the  
openclipart site?  It appears that .htaccess does not allow adding these  
parameters locally.  
  
<Directory "/srv/clipart.freedesktop.org/clipart_web/incoming*">  
    AllowOverride None  
  
    # Serve HTML as plaintext  
    AddType text/plain .html .htm .shtml  
       
    # Don't run arbitrary PHP code.  
    php_admin_flag engine off  
  
    # Disable other script types  
    <Files ~ "\.(php|php3|php4|phps|phtml|shtm|shtml|cgi|pl|pm|asp|cfm|js|jse| 
jsp|jar|py|exe|com|bat|dll|pif|scr|reg|inf|htaccess)$">  
        order allow,deny  
        deny from all  
    </Files>  
  
</Directory>  
  
While we check that uploaded files are .svg's during upload, this would give a  
stronger measure of security by preventing them from being executed.  
 
To test the change, this URL:  http://openclipart.org/incoming/contact.php 
should return the php as non-executed plain text, not as a web page. 
 
Thanks,  
Bryce
Comment 1 Daniel Stone 2005-11-21 14:29:46 UTC
done, thanks