X-Git-Url: https://jasonwoof.com/gitweb/?a=blobdiff_plain;f=.htaccess;h=e2884e3af30adc5022b66606f6676137a9a16429;hb=cd38e5f5860aa72e8d0548a7ae3d8489aec48062;hp=c496a282feb1c293579655da7846a53b69519ddf;hpb=7eee99585040417e2be07833570d11ccd7e66c44;p=wfpl-cms.git

diff --git a/.htaccess b/.htaccess
index c496a28..e2884e3 100644
--- a/.htaccess
+++ b/.htaccess
@@ -7,9 +7,7 @@ DirectoryIndex disabled
 AddDefaultCharset UTF-8
 AddCharset UTF-8 .css
 RewriteEngine  on
-RewriteRule    ^[^/.]*$  /wfpl_main.php [L]
-# Close loophole in security restriction/exception below
-RewriteRule    ^.*/.*wfpl_main.php$  /wfpl_main.php [L]
+RewriteRule ^[^/.]*$ /wfpl_main.php [L]
 
 <FilesMatch "\.(css|jpg|png)$">
 	ExpiresActive On
@@ -23,11 +21,17 @@ SetHandler default-handler
 Options SymlinksIfOwnerMatch
 php_flag engine off
 RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
-# Exception: allow access to wfpl_main.php
-#
-# this allows access to any files named "wfpl_main.php" anywhere, so there's a
-# rewrite rule above to use the top-level one, no matter which was requested.
+# code execution exception: allow only /wfpl_main.php
+# <Files> matches regardless of directory/path, so rewrite php in subdirs
+RewriteRule ^(wfpl_main\.php|cms_images_autoresize\.php)$  - [L]
+RewriteRule .*\.php$ - [L,R=404]
 <Files "wfpl_main.php">
 	php_flag engine on
 	SetHandler application/x-httpd-php
 </Files>
+<Files "cms_images_autoresize.php">
+	php_flag engine on
+	SetHandler application/x-httpd-php
+</Files>
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ^cms_images/[0-9a-f]+w[0-9]+\.[pj][np]g$ /cms_images_autoresize.php