X-Git-Url: https://jasonwoof.com/gitweb/?a=blobdiff_plain;f=.htaccess;h=af54bb2b494e6659845f392a8efc02f5c7f713c1;hb=fb07271dfd352aaed61375fd270730d74fed6d9d;hp=7ba7ac4340a2c8d741eef41c06420bbf225ccb78;hpb=8c4eef93b5d12e5453780b2b23c6a06af5d3894f;p=wfpl-cms.git
diff --git a/.htaccess b/.htaccess
index 7ba7ac4..af54bb2 100644
--- a/.htaccess
+++ b/.htaccess
@@ -2,14 +2,32 @@ php_value post_max_size 25M
php_value upload_max_filesize 20M
php_flag register_globals off
php_flag magic_quotes_gpc off
-Options -MultiViews
DirectorySlash Off
DirectoryIndex disabled
AddDefaultCharset UTF-8
+AddCharset UTF-8 .css
RewriteEngine on
RewriteRule ^[^/.]*$ /wfpl_main.php [L]
+# Close loophole in security restriction/exception below
+RewriteRule ^.*/.*wfpl_main.php$ /error_404 [L,R]
ExpiresActive On
ExpiresDefault A31536000
+
+# SECURITY: don't execute code on the server (exception below)
+SetHandler none
+SetHandler default-handler
+# this option is needed for RewriteRule to work:
+Options SymlinksIfOwnerMatch
+php_flag engine off
+RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
+# Exception: allow access to wfpl_main.php
+#
+# this allows access to any files named "wfpl_main.php" anywhere, so there's a
+# rewrite rule above to use the top-level one, no matter which was requested.
+
+ php_flag engine on
+ SetHandler application/x-httpd-php
+