Multi-SSH Key Manager
Alot of PHP applications that i've worked on that allow file uploads place the files into a directory that is publicly accessible, this isn't a problem so long as your upload script never ever allows scripts to be uploaded.
It doesn't matter how good you think your MIME type or extension filtering is why allow the PHP interpreter near the files you never expect to be interpreted?
Disabling The PHP Interpreter
There is a php_engine
directive that Apache exposes, it can be used in both .htaccess
files and the main Apache config, this directive tells the PHP interpreter to just not run.
Usefully this can be placed in a Directory
or DirectoryMatch
block. This effectively allows us to sandboxing a directory, uploads
for example.
Disabling File Handers
Next we tell Apache to handle all files the same, as though they were static content that doesn't need interpreting.
SetHandler none
SetHandler default-handler
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
RemoveType .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
Disabling Overrides
As these settings can be defined in an .htaccess
we also prevent Apache reading any .htaccess
files in the directory we are sandboxing. This prevents malicious .htaccess
files disabling all protection we've added.
This is easily done by setting the AllowOverride
directive to None
.
Put It All Together
<DirectoryMatch ^/path/to/(one|many)/directories>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
RemoveType .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
RemoveType .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</DirectoryMatch>