WebFaction
Community site: login faq

I'm installing MediaWiki as part of a static/PHP configuration and the documentation recommends that script execution privileges are revoked for the /images directory as users are able to upload files to that location. However, although I found a way to stop Python script execution (by adding Options -ExecCGI to the .htaccess file) I cannot find a way to block PHP execution.

I've tried various tricks from around the web without success:

  • AddType text/plain .php
  • RemoveHandler .php
  • <IfModule php5_module>php_flag engine off</IfModule> (on 3 separate lines)
  • <IfModule mod_php5.c>php_flag engine off</IfModule> (on 3 separate lines)

And none of these have any effect: my test file of <? echo "hello!"; ?> still gets executed when I open it in the browser.

asked 20 Jan '13, 16:00

Kylotan
15249
accept rate: 0%

edited 20 Jan '13, 16:00


Something like this in .htaccess should do it:

<FilesMatch \.php$>
    SetHandler None
</FilesMatch>

If that doesn't work, then:

  1. Create a "symbolic link to static-only" application pointing at your images directory.
  2. Add the app you created in step 1 to your site, using /images as the URL path.
permanent link

answered 20 Jan '13, 17:32

seanf
12.2k41836
accept rate: 37%

Thank you, that first suggestion seems to work perfectly!

(21 Jan '13, 09:30) Kylotan

You should be able to prevent execution by removing the execute bit from the directory and files in that directory.

permanent link

answered 20 Jan '13, 16:26

bmeyer71 ♦♦
1.5k3613
accept rate: 33%

If I do that, I can't navigate into the directory any more.

(20 Jan '13, 16:33) Kylotan

Just remove execute for other. You may need to leave group with execute.

(20 Jan '13, 16:41) bmeyer71 ♦♦

It still stops the web server from serving any of the files in there. I don't want to lock the whole directory - I just want to prevent script execution.

(20 Jan '13, 16:49) Kylotan

Seems a bit odd. Maybe change the permissions for the directory back to 775 and try the .htaccess example in this link about 1/3 of the way down.

(20 Jan '13, 17:04) bmeyer71 ♦♦

I already had the AddType line, which has no effect. Adding the ForceType block does nothing either, and nor does the AddHandler cgi-script idea.

(20 Jan '13, 17:24) Kylotan
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×262
×75
×8

question asked: 20 Jan '13, 16:00

question was seen: 15,068 times

last updated: 05 Jul '14, 15:40

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM