Disable execution of PHP in the files/ directory

Events happening in the community are now at Drupal community events on www.drupal.org.
greggles's picture
Posted by greggles on April 20, 2012 at 9:57pm

SA 2006-006 makes it impossible to execute php inside the Drupal files directory on Apache servers. This is a defense in depth mechanism along with things like file_munge_filename and file extension limits in php.

Windows doesn't benefit from that change since the change was in .htaccess.

Is there a way to prevent IIS from executing files inside a specific directory? Is there some way we can bundle that up and ship it with Drupal like the web.config?

Categories: ,

Comments

Removing the handlers is the closest I've seen.

Posted by mistermarco on April 21, 2012 at 1:20am
mistermarco's picture

I've only tested on IIS Express, and I'm really not an expert in IIS at all, but a web.config under files/ with the following contents seems to prevent execution of PHP files and other executable files (like .aspx) while allowing for the regular viewing of static files like images, text, etc. (only tested with gif, png and txt). The files without handlers (such as PHP) return a 404.3 error, but you can add mimeMap lines in the staticContent section to have them downloaded instead (done below for PHP). I don't know if there is a better way to do that. It'd be nice if we could say "if there is no handler, just use download" to catch any other files (.pl, .cgi, etc.)

<configuration>
  <system.webServer>
    <handlers>
      <clear />
      <add
        name="static"
        path=""
        verb=""
        modules="StaticFileModule"
        resourceType="Either"
        requireAccess="Read"
      />
    </handlers>
    <staticContent>
      <mimeMap fileExtension=".php" mimeType="application/octet-stream" />
    </staticContent>
  </system.webServer>
</configuration>

I hope this helps.

Not sure of syntax but likely a good patch

Posted by johnbarclay on April 21, 2012 at 3:16pm
johnbarclay's picture

The web.config file is very much analogous to the .htaccess file. Good sysadmins would never replace/modify it as part of a drupal core update.

So I don't think a patch like this will break any sites.

www.johnbarclay.com

web.config syntax

Posted by alexpilotti on April 21, 2012 at 5:29pm
alexpilotti's picture

mistermarco's solution is correct, except for some minor syntax corrections (verb and path set to *). I also removed the the php mime map as static content to avoid unwanted disclosure of source code.
I tested it on IIS 7.x and 8.0 (developer preview).

Edit: I just noticed that the "*" is not properly formatted in the "code" tag on the forum, I had to add an extra space (to be removed in the file), so I suppose that they were properly set also on mistermarco's initial sample.

That's the easiest way to achieve this result as the web.config file is the IIS rough equivalent of an Apache .htaccess file.

Here's the final Web.config content to be put in the "files" directory:

<configuration>
  <system.webServer>
    <handlers>
      <clear />
      <add
        name="StaticFile"
        path="* "
        verb="* "
        modules="StaticFileModule"
        resourceType="Either"
        requireAccess="Read"
      />
    </handlers>
  </system.webServer>
</configuration>

Alessandro Pilotti
MVP ASP.Net / IIS

I created the issue at

Posted by greggles on April 23, 2012 at 3:46pm
greggles's picture

I created the issue at http://drupal.org/node/1543392 to track this idea as a core improvement.

Thanks for all the great help here! I probably won't be able to work on the core feature request but will watch and help champion the idea if anyone else can work on it.

knaddison blog | Morris Animal Foundation

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week

See all hot content.