AddDefaultCharset UTF-8
AddCharset UTF-8 .css
RewriteEngine on
-RewriteRule ^[^/.]*$ /wfpl_main.php [L]
-# Close loophole in security restriction/exception below
-RewriteRule ^.*/.*wfpl_main.php$ /wfpl_main.php [L]
+RewriteRule ^[^/.]*$ /wfpl_main.php [L]
<FilesMatch "\.(css|jpg|png)$">
ExpiresActive On
Options SymlinksIfOwnerMatch
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
-# Exception: allow access to wfpl_main.php
-#
-# this allows access to any files named "wfpl_main.php" anywhere, so there's a
-# rewrite rule above to use the top-level one, no matter which was requested.
+# code execution exception: allow only /wfpl_main.php
+# <Files> matches regardless of directory/path, so rewrite php in subdirs
+RewriteRule ^(wfpl_main\.php|paypal_ipn\.php|cms_images_autoresize\.php)$ - [L]
+RewriteRule .*\.php$ - [L,R=404]
<Files "wfpl_main.php">
php_flag engine on
SetHandler application/x-httpd-php
</Files>
+<Files "paypal_ipn.php">
+ php_flag engine on
+ SetHandler application/x-httpd-php
+</Files>
+<Files "cms_images_autoresize.php">
+ php_flag engine on
+ SetHandler application/x-httpd-php
+</Files>
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ^cms_images/[0-9a-f]+w[0-9]+\.[pj][np]g$ /cms_images_autoresize.php