Drupal html files under sites/default/files/* is downloading but executing - apache

Drupal html files under sites/default/files/* is downloading but executing.
Note: .htaccess file under sites/default/files/ is with default setting as below:
Turn off all options we don't need.
Options None
Options +FollowSymLinks
Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>

Fixed after adding a .htaccess file with below
ForceType text/html
Header set Content-Disposition inline

Related

How can I run extensionless CGI script from apache ROOT?

I'm setting up an apache webserver (on Ubuntu 18.04) with a CGI script, but I want a clean URL without "cgi" in it.
I already have a functioning script (in Perl), which, for the purposes of this question, I'll call myscript.
1. localhost/cgi-bin/myscript (works)
If I put the script in /usr/lib/cgi-bin/myscript, it works with URL localhost/cgi-bin/myscript.
2. localhost/myscript.cgi (works)
Alternatively, I can reconfigure /var/www/ to run files with .cgi or .pl extensions as CGI:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
+ Options +ExecCGI
+ AddHandler cgi-script .cgi .pl
</Directory>
This works IF I add a .cgi extention: myscript.cgi. Then URL localhost/myscript.cgi works.
3. localhost/myscript ???
But I don't want cgi in my URL. I just want localhost/myscript to run myscript as CGI. (And I don't want to force other files in ROOT to be CGI).
Is this possible?
You cannot do that directly. However, you could Redirect requests for specific extension-less URLs to their corresponding .cgi.
You can test these with an .htaccess file to avoid having to reload the server.
In your <VirtualHost ...> section :
<Directory /your/web/dir/>
Require all granted
AllowOverride All
</Directory>
In /your/web/dir/.htaccess :
Options +ExecCGI
AddHandler cgi-script .cgi
Redirect "/test" /test.cgi
# or
# RedirectMatch "^/(test)$" /$1.cgi
Another possibility would be to use mod_rewrite, and redirect calls to any existing executable file to a file with the same name but with a .cgi extension. The extension-less file must only exist, and can be empty.
In /your/web/dir/.htaccess :
Options +ExecCGI
AddHandler cgi-script .cgi
RewriteEngine On
# If not already .cgi and executable, redirect to .cgi
RewriteCond /your/web/dir/%{REQUEST_URI} "!\.cgi$"
RewriteCond /your/web/dir/%{REQUEST_URI} -x
RewriteRule ^(.+) /$1.cgi [R]
Of course, you can use any other extension than .cgi. For example .x if you set AddHandler cgi-script .x.

Apache / Httpd mod_rewrite and Files directive not working

I'm setting up some Apache (httpd) configuration for an Apache server fronting a Tomcat server like this:
<Proxy *>
Order deny,allow
Allow from all
AllowOverride All
</Proxy>
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+)\.v(\d+)\.(js|css|png|jpe?g|gif)$ $1.$3 [L]
</IfModule>
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
<Files "*.html">
Header set Cache-Control "public, max-age=900"
</Files>
I have both the rewrite module and header module installed. The mod_rewrite rule is there so that I can version my static resources e.g. style.v2.css will be transformed to style.css etc. The custom header is to avoid aggressive caching of html files by browsers.
The proxy directives pass requests onto the Tomcat server listening on port 8080. The rewrite rules is not working though. I get a 404 for style.v2.css because it's not transforming the filename to style.css.
The custom header does not get applied either, but only because the <Files> directive is not matching my html files. If I remove the <Files> directive and apply the custom header to all files, then they all get that header in the their responses.
I'm not sure how to debug this. Is there anything obviously wrong with this configuration?
I had forgotten to include RewriteEngine On to make the rewrite rule work. It does now that I've added that. The <Files> match still doesn't work, even though I am requesting html files.
Also, using:
<Files "myfile.html">
Header set Cache-Control "public, max-age=900"
</Files>
...still does not work when I make a request specifically for myfile.html. By the way, this configuration is inside <VirtualHost _default_:443>.
I've also tried putting my <Files> directive inside a <Directory> directive, but it still doesn't work:
<Directory "/var/www">
<Files "*.html">
Header set Cache-Control "public, max-age=600"
</Files>
</Directory>
The Files directive was apparently useless because I had no DocumentRoot setup e.g.
DocumentRoot /var/www
Once I did that the files started matching.

Need help migrating apache directives to nginx

To keep it simple, I'm trying to find the nginx alternative to the following apache htaccess directives:
<Files track>
SetHandler application/x-httpd-php
</Files>
<Files ttrack>
SetHandler application/x-httpd-php
</Files>
<Files qtrack>
SetHandler application/x-httpd-php
</Files>
I have several of these directives, and it is not possible to rename the files with a php extension so that's out of the question. I just need to know how I can get these extensionless files to be run as php scripts.
If I'm not wrong (it's several years I don't use Apache), you can try:
location /(track|ttrack|qtrack) {
// the stuff to use php-cgi like:
fastcgi_pass upstreamServerPool;
// ...
}
This will match all requests for url like /track or /ttrack or /qtrack.

Disable all CGI (php, perl, …) for a directory using .htaccess

I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Put this in your .htaccess:
<Files *>
# #mivk mentionned in the comments that this may break
# directory indexes generated by Options +Indexes.
SetHandler default-handler
</Files>
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.
AFAICT, you should be pretty safe with that.
My Godaddy setup wont allow me to edit the httpd.conf files, and the php_flag command doesn't work due to how they've implemented php for me.
I was able to use this in my .htaccess file:
SetHandler default-handler
AddType text/plain php
I put this in the directory above where my FTP user is allowed to access, which forces all PHP files in that directory, as well as all sub-directories to show php as plain text.
This will work for other file types as well. All you need to do is add another line with whatever extension of file you want to be forced to display in plain text. AddType text/plain cgi for example

open_basedir restriction in effect and subdomains

For security reasons I have put my yii folder below the html root, so my structure looks like this
/conf
/httpdocs
/httpsdocs
/yii
when running the site I get an error open_basedir restriction in effect that yii.php which is called by index.php out of httpdocs is not in the allowed path. Because this site is a subdomain do I edit the vhosts.conf of the main domain or of the subdomain?
What would the proper setting be to allow
/var/www/vhosts/example.com/subdomains/mysubdomain/yii
Path to be accessible?
EDIT
So my /var/www/vhosts/example.com/conf/vhost.conf file looks like this now:
AddHandler fcgid-script .php
<Directory /var/www/vhosts/example.com/httpdocs>
php_admin_value open_basedir ".:/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/tmp/:/var/www/vhosts/example.com/subdomains/mysubdomain/yii"
FCGIWrapper /var/www/vhosts/example.com/bin/php-cgi .php
Options +ExecCGI +FollowSymLinks
allow from all
</Directory>
I've reconfigured and restarted the web server but I still get the error:
Warning: require_once() [function.require-once]: open_basedir restriction in effect.
File(/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs/../yii/yii.php) is not within the allowed path(s):
(/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/tmp)
in /var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs/index.php on line 26
In the virtualhost:
php_admin_value open_basedir ".:/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/my/own/tmp:/var/www/vhosts/example.com/subdomains/mysubdomain/yii"
I found the answer. You have to specify the different modules or else simply editing the vhost file doens't have much of an effect. This is to turn off the open_basedir but you can edit the settings accordingly.
<Directory /var/www/vhosts/YOURDOMAIN.COM/subdomains/YOUSUBDOMAIN/httpdocs>
<IfModule sapi_apache2.c>
php_admin_value open_basedir none
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir none
</IfModule>
</Directory>
then
# /usr/local/psa/admin/bin/websrvmng --reconfigure-vhost --vhost-name=YOURDOMAIN.COM
# apachectl stop
# apachectl start
Full article can be found here: http://prattski.com/2008/09/13/plesk-open_basedir-fix/