X-Git-Url: https://jasonwoof.com/gitweb/?a=blobdiff_plain;f=.htaccess;h=e2884e3af30adc5022b66606f6676137a9a16429;hb=134de2aa82870e47d5a9b4da266b0354fb27baf4;hp=173e9bf5c54bc131a5e4375663b993c65c43ad1a;hpb=a4f644413e4164883a7272bfecddba6d08bae3be;p=wfpl-cms.git

diff --git a/.htaccess b/.htaccess
index 173e9bf..e2884e3 100644
--- a/.htaccess
+++ b/.htaccess
@@ -7,9 +7,7 @@ DirectoryIndex disabled
 AddDefaultCharset UTF-8
 AddCharset UTF-8 .css
 RewriteEngine  on
-RewriteRule    ^[^/.]*$  /wfpl_main.php [L]
-# Close loophole in security restriction/exception below
-RewriteRule    ^.*/.*wfpl_main.php$  /wfpl_main.php [L]
+RewriteRule ^[^/.]*$ /wfpl_main.php [L]
 
 <FilesMatch "\.(css|jpg|png)$">
 	ExpiresActive On
@@ -23,11 +21,17 @@ SetHandler default-handler
 Options SymlinksIfOwnerMatch
 php_flag engine off
 RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
-# Exception: allow access to wfpl_main.php
-#
-# this allows access to any files named "wfpl_main.php" anywhere, so there's a
-# rewrite rule above to use teh top-level one, no matter which was requested.
+# code execution exception: allow only /wfpl_main.php
+# <Files> matches regardless of directory/path, so rewrite php in subdirs
+RewriteRule ^(wfpl_main\.php|cms_images_autoresize\.php)$  - [L]
+RewriteRule .*\.php$ - [L,R=404]
 <Files "wfpl_main.php">
 	php_flag engine on
 	SetHandler application/x-httpd-php
 </Files>
+<Files "cms_images_autoresize.php">
+	php_flag engine on
+	SetHandler application/x-httpd-php
+</Files>
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ^cms_images/[0-9a-f]+w[0-9]+\.[pj][np]g$ /cms_images_autoresize.php