On Tue, Jun 9, 2020 at 2:25 AM Klaus Neudecker <klaus.neudecker@xxxxxxxx> wrote: > > Thank very much Jose! > > The disabling of the php-scripts in the .conf works! Fine, half of the problem is solved! > > BUT, I am not quite sure if people are not able to reenable it by a .htaccess file. > I just made a try of this: I made an entry in the .conf: > > <Directory "d:/..."> > php_admin_value engine Off > </Directory> > > => ok workes fine, the php is not processed, it comes as source code > > Then I put a .htaccess file into d:/... into which I wrote: > php_admin_value engine On > > => apache delivered me a 500 error. > > Therefore, does anyone know: > a) has the apache server already a mechanism to block the switching on of the php engine in .htaccess files GENERALLY? (switching off works!) > b) Better - in order to be 200% sure - is there a possibility like "AllowOverride" e.g. to disable the switching on/off of the php engine in .htaccess files? You should read up on HTTPD documentation, when in doubt, i.e., "When [AllowOverride] directive is set to None and AllowOverrideList is set to None, .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem." < https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride > > > Sincerely > Klaus > > Jose R R < jose.r.r@xxxxxxxxxxx> hat am 8. Juni 2020 um 00:14 geschrieben: > > > Niltze [Hello], Klaus- > > On Sun, Jun 7, 2020 at 12:12 PM Klaus Neudecker > < klaus.neudecker@xxxxxxxx> wrote: > > > > Hello, > > I have my Apache main directory: /www (<Directory /www> / > DocumentRoot /www) > > In this directory and its subdirectories *.php files get executed by php. > > In the subdirectory /www/publications (and recoursly in its > subdirectories) I allow people (relatively trustworthy!) on the > filesystem to drop publications, documentations e.g. which are > referenced by a database as path+filename to the files. php then > produces with this database information www-pages with html-links to > these files. > > If people drop *.php files as documentation for the source code(!) in > /www/publications these *.php scripts get executed, too. Dangerously(!) > and no documentation for the source code. > > Therefore I want that no *.php files get executed within > /www/publications . It should be stupidely delivered like a *.html file. > > I already managed this by a .htaccess file with the entry "php_flag > engine off". > > But the .htaccess file could be deleted or .htaccess files with > "php_flag engine on" could get put in another subdirectory. :-( > > Therefore: > > a) I want to put the "php_flag engine off" in the apache2.conf. > > You may want to adapt this example to your main httpd.conf > < https://lxadm.com/Apache:_disabling_PHP_execution_in_selected_directories > > > > > > b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no > switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any > subdirectory. (But I have to be able to use a .htaccess in these > directories with e.g. "Options +Indexes"!) > > Does anyone of you have an idea how to implement this in the apache2.conf? > > Sincerely > > Klaus > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx Good luck! -- Jose R R http://metztli.it --------------------------------------------------------------------------------------------- Download Metztli Reiser4: Debian Buster w/ Linux 5.5.19 AMD64 --------------------------------------------------------------------------------------------- feats ZSTD compression https://sf.net/projects/metztli-reiser4/ ------------------------------------------------------------------------------------------- Official current Reiser4 resources: https://reiser4.wiki.kernel.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|