Restricting htaccess heirarchy
Hello,
We have a few servers running WHM/cPanel 11.38.2 on CentOS 5.10.
Here's the TL;DR:
I have a .htaccess file with rewrite rules in a certain directory. Ideally I want to ignore all .htaccess files in sub-directories under that one, or alternatively add a rule to always use those rewrite rules and ignore rewrite rules in .htaccess files inside sub-directories.
Here are the specifics:
Our PHP application allows admin users to upload content which can contain any arbitrary files (including other PHP scripts or .htaccess files). If a zip file is uploaded as a piece of content, it is simply extracted into the directory for that content, so the zip file could have any number of directories and files inside it. We have some application options that admins can use to restrict access to all content directories to only logged-in users, and also to restrict uploaded PHP code from running. In order to accomplish that, we have a .htaccess file inside the root content directory (called resources) which redirects all requests to a PHP script outside of that directory:
So that file goes into the resources directory, and whenever someone uploads a new piece of content then it will create a sub-directory inside resources and put the content files there. However, I just discovered that if the content contains a .htaccess file with rewrite rules, then our protection scheme gets completely bypassed, it no longer redirects requests to our authentication/authorization script so the protections offered by that auth_resource.php file no longer come into play. Ideally, I would like to be able to add additional rules to the .htaccess file inside the resources directory to simply tell Apache to ignore all .htaccess files inside any sub-directory, I don't want user-uploaded files to change Apache directives at all. If that isn't possible, then it would at least be better to have a directive that tells Apache to always use the rewrite rules inside the resources .htaccess file and ignore any other rules, so that at least we can make sure that our authorization script is never going to be bypassed when that feature in the application is enabled. Do I have any solution for this other than scanning all content directories to delete uploaded .htaccess files? Thanks
Options FollowSymLinks
RewriteEngine On
RewriteRule .* ../auth_resource.php?__f=$0 [L,QSA]
So that file goes into the resources directory, and whenever someone uploads a new piece of content then it will create a sub-directory inside resources and put the content files there. However, I just discovered that if the content contains a .htaccess file with rewrite rules, then our protection scheme gets completely bypassed, it no longer redirects requests to our authentication/authorization script so the protections offered by that auth_resource.php file no longer come into play. Ideally, I would like to be able to add additional rules to the .htaccess file inside the resources directory to simply tell Apache to ignore all .htaccess files inside any sub-directory, I don't want user-uploaded files to change Apache directives at all. If that isn't possible, then it would at least be better to have a directive that tells Apache to always use the rewrite rules inside the resources .htaccess file and ignore any other rules, so that at least we can make sure that our authorization script is never going to be bypassed when that feature in the application is enabled. Do I have any solution for this other than scanning all content directories to delete uploaded .htaccess files? Thanks
-
Hello :) This thread should be helpful: Disable .htaccess Thank you. 0 -
Thanks for the reply. It doesn't look like the AllowOverride directive is going to work for this situation. It looks like I can only apply that directive in the main server config file, and I can't use regular expressions to specify the directories. So that wouldn't work if I want to set a rule to disallow .htaccess files in all subdirectories under /home/[user]/public_html/resources while allowing the .htaccess file in resources to keep working. For us that directory pattern would have to be public_html/resources/[0-9]*/. 0 -
[quote="outpostmm, post: 1495771">Thanks for the reply. It doesn't look like the AllowOverride directive is going to work for this situation. It looks like I can only apply that directive in the main server config file, and I can't use regular expressions to specify the directories. So that wouldn't work if I want to set a rule to disallow .htaccess files in all subdirectories under /home/[user]/public_html/resources while allowing the .htaccess file in resources to keep working. For us that directory pattern would have to be public_html/resources/[0-9]*/.
If you read here: [url=http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride]core - Apache HTTP Server It says: [QUOTE] AllowOverride is valid only in sections specified without regular expressions, not in , or sections.
You should be able to get it to work if you set AllowOverride in each virtualhost separately.0 -
If I can't use a regular expression in the directory specification, how can I set that option for all sub-directories under resources while still allowing it in resources? 0 -
[quote="outpostmm, post: 1495792">If I can't use a regular expression in the directory specification, how can I set that option for all sub-directories under resources while still allowing it in resources?
Right, guess it's not possible then... What if you disable .htaccess completely and then do that redirection in virtualhost(s)?0
Please sign in to leave a comment.
Comments
5 comments