Hi.
I'm working on getting wikipedia wiki fully installed for http://www.consumerium.org/wiki/ and I just got the uploading setting to work so that uploading works, but...
As I checked where it put the test file I noticed the the png I had uploaded had permissions set to -rwxr-xr-x which is not a good thing.
Imagine: 1. Upload whack_the_database.php 2. Point your browser to uploadpath/whack_the_database.php assuming it has access to LocalSettigs.php
I heard from taw at #wikipedia that the upload code should make the files _not executable_ which is not what it did.
He tracked it down to the bug being in move_uploaded_file( $wpUploadTempName, $wgSavedFile ) or near it.
Could someone take a look at this?
My CVS-dump is dated 22.2.2003
regards, Juho Heikkurinen
(Juho Heikkurinen juho@consumerium.org): Hi.
As I checked where it put the test file I noticed the the png I had uploaded had permissions set to -rwxr-xr-x which is not a good thing.
This isn't a security problem on Wikipedia because Apache is configured not to execute anything outside the wiki directories. But I can see it might be a problem for other installations, so I added a "chmod(..., 0644)" to the code after the move.
On Tue, 2003-03-18 at 08:20, Juho Heikkurinen wrote:
As I checked where it put the test file I noticed the the png I had uploaded had permissions set to -rwxr-xr-x
Hmm, that would be a PHP issue I suppose. We don't touch the permissions as far as I know.
Upload whack_the_database.php
Point your browser to uploadpath/whack_the_database.php assuming it
has access to LocalSettigs.php
This should probably be in the documentation:
*** FOR THE LOVE OF WIKI, CONFIGURE YOUR WEB SERVER TO DISABLE EXECUTION OF PHP SCRIPTS AND OTHER SUCH THINGS IN THE UPLOAD DIRECTORY! ***
The simplest way to do this of course is to only _enable_ php for the directories where your scripts are stored. What we use is a global option to turn it off: <IfModule mod_php4.c> php_admin_flag engine off </IfModule>
then each wiki's business directory is explicitly turned on: <Directory "/usr/local/apache/htdocs/w"> <IfModule mod_php4.c> php_admin_flag engine on </IfModule> # other options... </Directory>
This is in no way related to the executable bit, since php is usually run as an apache module.
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org