Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite

This is my virtual host configuration file

<VirtualHost *:80>
    ServerAdmin [email protected]

    ServerName my-domain.tld
    ServerAlias www.my-domain.tld

    DocumentRoot /home/my-domain/public_html
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /home/my-domain/public_html>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined 
</VirtualHost>

and I'd like to disable script execution in /home/my-domain/public_html/uploads folder using .htaccess; already tried with

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

then

AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi .js

then

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
order deny,allow
deny from all
</Files>

and every other directive I found around but none of them can prevent script execution.

apachectl -t -D DUMP_MODULES says that mime_module is enabled and loaded

php_flag engine off is the only directive stopping a php file from executing but what about other types; and why the other apache directives won't work. any idea... ?

share|improve this question
1  
Could be wrong here but I'll ask anyway: would changing your execute permissions on the directory not do the trick? – A.M. D. Nov 16 '12 at 11:04
It already has execute permission. Thanks anyway. – hex494D49 Nov 16 '12 at 16:34
I thought you wanted to disable script execution, wouldn't turning off script execution do exactly what you're trying to do in your .htaccess? Sorry if I'm missing something :-) – A.M. D. Nov 16 '12 at 16:38
I see your point but if the directory hasn't execute permission it won't be accessible by Apache at all. Just tried it. – hex494D49 Nov 16 '12 at 16:48
If you omit execution permission Apache will greet you with a 'Forbidden - 403' message :) and it won't be able to even read/write in that directory. In other words I need that directory to be writable but I'd like to prevent script execution in case someone uploads any malicious script/code. – hex494D49 Nov 16 '12 at 16:59
show 1 more comment

closed as off topic by George Stocker Nov 18 '12 at 1:34

Questions on Stack Overflow are expected to relate to programming or software development within the scope defined in the FAQ. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about closed questions here.

1 Answer

up vote 2 down vote accepted

set: AllowOverride None in all directory

share|improve this answer
Done but nothing so far. Now even php_flag engine off doesn't work but it is expected. Thanks anyway. – hex494D49 Nov 16 '12 at 16:37

Not the answer you're looking for? Browse other questions tagged or ask your own question.