Mailing List Archive

> (Juho Heikkurinen <juho@consumerium.org>):
> Hi.
>
> As I checked where it put the test file I noticed the the png I had
> uploaded had permissions set to -rwxr-xr-x
> which is not a good thing.

This isn't a security problem on Wikipedia because Apache is
configured not to execute anything outside the wiki directories.
But I can see it might be a problem for other installations, so
I added a "chmod(..., 0644)" to the code after the move.

--
Lee Daniel Crocker <lee@piclab.com> <http://www.piclab.com/lee/>
"All inventions or works of authorship original to me, herein and past,
are placed irrevocably in the public domain, and may be used or modified
for any purpose, without permission, attribution, or notification."--LDC

On Tue, 2003-03-18 at 08:20, Juho Heikkurinen wrote:
> As I checked where it put the test file I noticed the the png I had
> uploaded had permissions set to -rwxr-xr-x

Hmm, that would be a PHP issue I suppose. We don't touch the permissions
as far as I know.

> 1. Upload whack_the_database.php
>
> 2. Point your browser to uploadpath/whack_the_database.php assuming it
> has access to LocalSettigs.php

This should probably be in the documentation:

*** FOR THE LOVE OF WIKI, CONFIGURE YOUR WEB SERVER TO DISABLE EXECUTION
OF PHP SCRIPTS AND OTHER SUCH THINGS IN THE UPLOAD DIRECTORY! ***

The simplest way to do this of course is to only _enable_ php for the
directories where your scripts are stored. What we use is a global
option to turn it off:
<IfModule mod_php4.c>
php_admin_flag engine off
</IfModule>

then each wiki's business directory is explicitly turned on:
<Directory "/usr/local/apache/htdocs/w">
<IfModule mod_php4.c>
php_admin_flag engine on
</IfModule>
# other options...
</Directory>

This is in no way related to the executable bit, since php is usually
run as an apache module.

-- brion vibber (brion @ pobox.com)