From a4f644413e4164883a7272bfecddba6d08bae3be Mon Sep 17 00:00:00 2001 From: Jason Woofenden Date: Fri, 17 Apr 2015 13:35:44 -0400 Subject: [PATCH] disable server-side code except wfpl_main.php --- .htaccess | 20 +++++++++++++++++++- inc/wfpl | 2 +- styl.styl | 2 ++ 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/.htaccess b/.htaccess index 7ba7ac4..173e9bf 100644 --- a/.htaccess +++ b/.htaccess @@ -2,14 +2,32 @@ php_value post_max_size 25M php_value upload_max_filesize 20M php_flag register_globals off php_flag magic_quotes_gpc off -Options -MultiViews DirectorySlash Off DirectoryIndex disabled AddDefaultCharset UTF-8 +AddCharset UTF-8 .css RewriteEngine on RewriteRule ^[^/.]*$ /wfpl_main.php [L] +# Close loophole in security restriction/exception below +RewriteRule ^.*/.*wfpl_main.php$ /wfpl_main.php [L] ExpiresActive On ExpiresDefault A31536000 + +# SECURITY: don't execute code on the server (exception below) +SetHandler none +SetHandler default-handler +# this option is needed for RewriteRule to work: +Options SymlinksIfOwnerMatch +php_flag engine off +RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo +# Exception: allow access to wfpl_main.php +# +# this allows access to any files named "wfpl_main.php" anywhere, so there's a +# rewrite rule above to use teh top-level one, no matter which was requested. + + php_flag engine on + SetHandler application/x-httpd-php + diff --git a/inc/wfpl b/inc/wfpl index 25ae73b..22989a9 160000 --- a/inc/wfpl +++ b/inc/wfpl @@ -1 +1 @@ -Subproject commit 25ae73baa4024c9677a412adf6bbc5ac2e56577a +Subproject commit 22989a9ee35a199c5ef75ace19244761ea8c5af6 diff --git a/styl.styl b/styl.styl index 2ac584a..7cf26f6 100644 --- a/styl.styl +++ b/styl.styl @@ -239,6 +239,7 @@ td > :first-child, th > :first-child, legend + *, article > :first-child, +aside > :first-child, section > :first-child, nav > :first-child, div > :first-child, @@ -249,6 +250,7 @@ td > :last-child, th > :last-child, fieldset > :last-child, article > :last-child, +aside > :last-child, section > :last-child, nav > :last-child, div > :last-child, -- 1.7.10.4