Hello,
Is that possible to disable running of PHP on certain directories? I am running a server which provides personal homepage service. However, not every user are familiar with security, some may upload some PHP scripts with bugs/holes. I do not want them to be executed on the server. I can enable the safe_mode, but I have some other PHP scripts which need safe_mode to be disabled. Any suggestions?
Regards, Wei Yu
This is just an off the cuff guess, but you can associate the .php file extension so that it's treated like .htm in those select directories. You would have to do this in your httpd.conf and on a specific per directory basis or, if you're using virtual hosts, you can put the assignment in the config for the vhost that you want php disabled.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: "Wei Yu" zig.wei@gmail.com
Date: Wed, 26 Sep 2007 11:19:59 To:"CentOS mailing list" centos@centos.org Subject: [CentOS] General question about PHP
Hello, Is that possible to disable running of PHP on certain directories? I am running a server which provides personal homepage service. However, not every user are familiar with security, some may upload some PHP scripts with bugs/holes. I do not want them to be executed on the server. I can enable the safe_mode, but I have some other PHP scripts which need safe_mode to be disabled. Any suggestions? Regards, Wei Yu _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello,
Is that possible to disable running of PHP on certain directories? I am running a server which provides personal homepage service. However, not every user are familiar with security, some may upload some PHP scripts with bugs/holes. I do not want them to be executed on the server. I can enable the safe_mode, but I have some other PHP scripts which need safe_mode to be disabled. Any suggestions?
Yes. In you httpd.conf, you can include: <Directory "/var/www/sheep/html/tmp"> php_flag engine off </Directory>
Which disables php processing for the directory /var/www/sheep/html/tmp . You could probably just include php_flag engine off In an .htaccess in the directory in question, assuming you've set AllowOverride to an appropriate value, and don't mind the slight performance hit of doing it that way.
We use the former method to protect areas where users are permitted to upload files to (mediawiki in this case), stopping a user uploading something malicious which would then execute in the context of the webserver
Craig Miskell ======================================================================= Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. =======================================================================
That's great, thank you!
On 9/26/07, Miskell, Craig Craig.Miskell@agresearch.co.nz wrote:
Hello,
Is that possible to disable running of PHP on certain directories? I am running a server which provides personal homepage service. However, not every user are familiar with security, some may upload some PHP scripts with bugs/holes. I do not want them to be executed on the server. I can enable the safe_mode, but I have some other PHP scripts which need safe_mode to be disabled. Any suggestions?
Yes. In you httpd.conf, you can include: <Directory "/var/www/sheep/html/tmp"> php_flag engine off
</Directory>
Which disables php processing for the directory /var/www/sheep/html/tmp . You could probably just include php_flag engine off In an .htaccess in the directory in question, assuming you've set AllowOverride to an appropriate value, and don't mind the slight performance hit of doing it that way.
We use the former method to protect areas where users are permitted to upload files to (mediawiki in this case), stopping a user uploading something malicious which would then execute in the context of the webserver
Craig Miskell
Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. ======================================================================= _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
gjgowey@tmo.blackberry.net -
Miskell, Craig -
Wei Yu