I don't want to parse PHP in one directory

semesterdavid

Hi gurus,

Simple question. I don´t want to parse php in one directory readable by my webserver. How can I configure Apache to allow php for directory 1 but not for directory 2

The reason for this is that people can upload files to this directory and it's not good if they can execute cgis or php...

I'm running the latest and greatest version of PHP and Apache 2 on a Linux box.

TIA,
/David

DigitalExpl0it

just upload to a folder thats not in the apache path like /tmp

semesterdavid

Originally posted by DigitalExpl0it
just upload to a folder thats not in the apache path like /tmp

But I want it to be in the path!!

I use a perl script to strip attachments from e-mails and put the attachments on a site before deliver the e-mails to a mailing list. An url to the attachment is included with the mail. I just want to make sure that people don't upload php files to get information from my server...

stolzyboy

so, don't allow .php, or .php3 files to be uploaded, you can do a simple mime-type check to check for that

if (mime-type check == "mimetypeforphp")
{
//don't allow
}
else
{
allow
}

or you could let them upload .php and .php3 files, but rename them to .html or any other extension, then they won't be interpreted by apache and the webserver

semesterdavid

Originally posted by stolzyboy
so, don't allow .php, or .php3 files to be uploaded, you can do a simple mime-type check to check for that

if (mime-type check == "mimetypeforphp")
{
//don't allow
}
else
{
allow
}

or you could let them upload .php and .php3 files, but rename them to .html or any other extension, then they won't be interpreted by apache and the webserver

The problem is that I don't upload the files with php. The files arrives via e-mail and a perl script to the directory. It's possible to modify the perl script, but I don't want to do that. I don't know much about perl or php 🙂

I just want to tell the webserver to ignore parsing php in one directory. I did some googling and a .htaccess file with php configuration parameters might be a solution?

stolzyboy

yeah, you may be able to do it via htaccess

drew010

in a .htaccess file in the folder you dont want to parse php put:

AddHandler text/plain .php .php3 .phps .php4 .phtml

semesterdavid

Originally posted by drew010
in a .htaccess file in the folder you dont want to parse php put:

AddHandler text/plain .php .php3 .phps .php4 .phtml

Thank you.
Problem solved 🙂

timj

Please make sure that:
-your perl script does not allow the upload of a .htaccess file, otherwise a hacker can overwrite it to get access...
-your httpd.conf file of Apache allows the use of .htaccess files, otherwise it won't work.