disable server-side code except wfpl_main.php

diff --git a/.htaccess b/.htaccess
index 7ba7ac4..173e9bf 100644 (file)
--- a/.htaccess
+++ b/.htaccess
@@ -2,14 +2,32 @@ php_value post_max_size 25M
 php_value upload_max_filesize 20M
 php_flag register_globals off
 php_flag magic_quotes_gpc off
-Options -MultiViews
 DirectorySlash Off
 DirectoryIndex disabled
 AddDefaultCharset UTF-8
+AddCharset UTF-8 .css
 RewriteEngine  on
 RewriteRule    ^[^/.]*$  /wfpl_main.php [L]
+# Close loophole in security restriction/exception below
+RewriteRule    ^.*/.*wfpl_main.php$  /wfpl_main.php [L]
 
 <FilesMatch "\.(css|jpg|png)$">
        ExpiresActive On
        ExpiresDefault A31536000
 </FilesMatch>
+
+# SECURITY: don't execute code on the server (exception below)
+SetHandler none
+SetHandler default-handler
+# this option is needed for RewriteRule to work:
+Options SymlinksIfOwnerMatch
+php_flag engine off
+RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
+# Exception: allow access to wfpl_main.php
+#
+# this allows access to any files named "wfpl_main.php" anywhere, so there's a
+# rewrite rule above to use teh top-level one, no matter which was requested.
+<Files "wfpl_main.php">
+       php_flag engine on
+       SetHandler application/x-httpd-php
+</Files>

diff --git a/inc/wfpl b/inc/wfpl
index 25ae73b..22989a9 160000 (submodule)
--- a/inc/wfpl
+++ b/inc/wfpl
@@ -1 +1 @@
-Subproject commit 25ae73baa4024c9677a412adf6bbc5ac2e56577a
+Subproject commit 22989a9ee35a199c5ef75ace19244761ea8c5af6

diff --git a/styl.styl b/styl.styl
index 2ac584a..7cf26f6 100644 (file)
--- a/styl.styl
+++ b/styl.styl
@@ -239,6 +239,7 @@ td > :first-child,
 th > :first-child,
 legend + *,
 article > :first-child,
+aside > :first-child,
 section > :first-child,
 nav > :first-child,
 div > :first-child,
@@ -249,6 +250,7 @@ td > :last-child,
 th > :last-child,
 fieldset > :last-child,
 article > :last-child,
+aside > :last-child,
 section > :last-child,
 nav > :last-child,
 div > :last-child,