[wp-trac] [WordPress Trac] #21981: Securing the uploads directory

WordPress Trac noreply at wordpress.org
Tue Oct 14 09:27:51 UTC 2014


#21981: Securing the uploads directory
-------------------------+-----------------------
 Reporter:  japh         |       Owner:
     Type:  enhancement  |      Status:  reopened
 Priority:  normal       |   Milestone:
Component:  Upload       |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:
-------------------------+-----------------------
Changes (by markjaquith):

 * status:  closed => reopened
 * resolution:  wontfix =>


Comment:

 Wait a second. We can forget about `php_flag engine off` and just use
 `mod_rewrite` if available to 403 requests to PHP files.

 {{{
 # Disallow access to PHP files in the uploads directory
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteRule \.php[0-9]?$ - [F]
 </IfModule>
 }}}

 The protection scenario here is a locked down environment where only the
 uploads directory is server-writable, and there is a file-writing
 compromise. It's a very safe place for an attacker to put PHP files
 because it is the one place almost guaranteed to be server writable.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21981#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list