disable .htaccess using .htaccess

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

disable .htaccess using .htaccess

Post by alex.barylski »

I have an .htaccess file in a sub-folder which delivers all requests to a proxy script.

In some of those sub-folders I allow arbitrary files to be uploaded which is why I have a proxy script to prevent direction execution of any PHP files, etc.

Problem is...I imagine someone could simply upload an .htaccess file into one of those sub-directories and override my.htaccess and thus circumvent the proxy script and have the PHP file executed.

Can I disable all other .htaccess using .htaccess?

Code: Select all

docroot/images
docroot/articles
docroot/storage/
docroot/storage/.htaccess
docroot/storage/proxy.php
docroot/storage/documents
docroot/storage/photos
People are allowed to upload to 'documents' and 'photos' -- documents can be anything no checks are performed. These directories MUST stay publically accessible -- I cannot move them outside docroot.

Ideally I would be able to just say in the 'docroot/storage/.htaccess' that any requests for files under it are sent to proxy.php and any .htaccess files there after are disabled.

I know I can do this in the httpd.conf but I'd prefer using .htaccess as it's more portable.

Possible or out of context?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: disable .htaccess using .htaccess

Post by VladSun »

Change the owner and write permissions of .htaccess and the directory containg .htaccess ...
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: disable .htaccess using .htaccess

Post by alex.barylski »

OK I just realized that I can disable .htaccess using .htaccess files and the <Directory /> directive but then all files stop being processed by the proxy script. :(

I then tried just turning off mod_rewrite like so:

Code: Select all

RewriteEngine off

Code: Select all

docroot/images
docroot/storage/.htaccess
docroot/storage/documents
docroot/storage/documents/.htaccess
docroot/storage/photos
This file contains the RewriteEngine off

Code: Select all

docroot/storage/documents/.htaccess
but when I upload an .htaccess file and proxy.php into the directory:

Code: Select all

docroot/storage/documents/.htaccess
docroot/storage/documents/proxy.php
Seems mod_rewrite is active again...can I not prevent mod_rewrite from executing in any sub-directories of:

Code: Select all

docroot/storage/
While stilling having any requests to those files sent to my proxy script intended???

Make sense? Cause even I'm confused :P
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: disable .htaccess using .htaccess

Post by alex.barylski »

Change the owner and write permissions of .htaccess and the directory containg .htaccess ...
Not sure how I see that solving the problem... :|

I'm not worries about my .htaccess file being over-written...I'm worried about a user uploading a new .htaccess file to a sub-directory under MY .htaccess file and thus overriding my proxy handling, thus allowing them to execute arbitrary code...

I think I just need to disable mod_rewrite for sub-directories under:

Code: Select all

docroot/storage
However the caveat is my proxy.php and .htaccess stored in the above directory should still be passed all requests made to files under the above directory. Disabling mod_rewrite or .htaccess on directories below the above seems to prevent MY proxy from working too...
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: disable .htaccess using .htaccess

Post by VladSun »

Ok, first - why do you need .htacces at all?
You can do the same in your Apache config and forbid the usage of .htaccess ...

PS: http://httpd.apache.org/docs/2.0/mod/co ... owoverride
When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: disable .htaccess using .htaccess

Post by alex.barylski »

I have some directories which have user uploaded files and they reside a few levels deep into the docroot.

docroot/images/
docroot/storage/
docroot/storage/documents/
docroot/storage/templates/

The last two are where the files are uploaded by end users -- arbitrary files no checks...that means an hacker could upload a PHP script into either and then access that script using the browser and potentially view source code, delete files, etc.

To prevent this I setup a proxy script inside the 'docroot/storage' directory, like so:

Code: Select all

RewriteEngine on
RewriteRule ^(.+)$ proxy.php?file=$1 [QSA]

Code: Select all

<?php
        
  // TODO: Prevent browser caching
  // TODO: Make sure path is canonicalized and secure (not reaching somewhere it's not supposed too)
  
  $file = $_GET['file'];
  echo file_get_contents($file);
Now regardless of the type of file uploaded to those directories (even PHP) the files are NEVER executed by PHP or any other interpreter, etc...they are simply returned to the browser as files like intended.

My concern is...someone could upload an .htaccess file into the :

Code: Select all

docroot/storage/documents/
And essentially override MY .htaccess and proxy.php thus circumventing my protection mechanism and allowing them to run arbitrary code.

The solution of course, is to store the files outside the docroot and use a publically accessible proxy (similar to what I have) however this is not accetable in this situation and I would much prefer to simply disable any .htaccess files after this point:

Code: Select all

docroot/storage/.htaccess
I have managed to disable the .htaccess using the following:

Code: Select all

# disable .htaccess in this path 
<Directory /templates/*> 
  AllowOverride None 
</Directory> 
<Directory /documents/*> 
  AllowOverride None 
</Directory>
I have this in my .htaccess file stored here:

Code: Select all

docroot/storage/.htaccess
The problem is...any file requests now for the files stored in 'docroot/storage/templates' or 'docroot/storage/documents' result in a Internal Server Error or similar message...I assume because .htaccess has been disabled for requests in those directories...

EDIT | Apparently <Directory> is not applicaable in .htaccess files :(
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: disable .htaccess using .htaccess

Post by VladSun »

So you are still using .htaccess ... I suggested not to use it all... You should understand that whatever you write in .htaccess can be written in the main Apache config files (which are secured, I hope ;) :P )...
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: disable .htaccess using .htaccess

Post by alex.barylski »

No I have to move the <Directory /> into the config files and not use .htaccess at all :(

It makes for slightly more work when adding accounts but whatever at least it works in preventing people from overriding my proxy script.
Post Reply