Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Hosting Requirements /

What you need to consider when choosing a hosting provider and plan.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

htaccess and security


Go to End


2 Posts   1887 Views

Avatar
Viv

Community Member, 30 Posts

19 July 2014 at 7:31pm

Edited: 19/07/2014 7:32pm

Hello,

I have several older installations of Silverstripe (2.4.5 and similar) on a shared server setup. Recently (I assume after a server upgrade) the 'Files and Images' section of the site stopped working - images could not be uploaded. Just a message saying 'the connection was reset' in Firefox.

After help from the hosting IT department, it was discovered that altering the .htaccess file in the Assets folder by removing the 'Deny from all' section fixed the issue:

...

Deny from all
<FilesMatch "\.(html|htm|xhtml|js|css|bmp|png|gif|jpg|jpeg|ico|pcx|tif|tiff|au|mid|midi|mpa|mp3|ogg|m4a|ra|wma|wav|cda|avi|mpg|mpeg|asf|wmv|m4v|mov|mkv|mp4|swf|flv|ram|rm|doc|docx|txt|rtf|xls|xlsx|pages|ppt|pptx|pps|csv|cab|arj|tar|zip|zipx|sit|sitx|gz|tgz|bz2|ace|arc|pkg|dmg|hqx|jar|xml|pdf)$">
Allow from all
</FilesMatch>

...

I'm not sure what is happening here. The file hasn't changed. I assumed the second part of the text (FilesMatch) was overriding the Deny section. Do newer versions of Apache interpret the rules differently?

Also, how much of a security issue is my commenting out the 'Deny from all'?

Thanks for any help with this.

Avatar
Kirk

Community Member, 67 Posts

21 July 2014 at 3:37pm

This could be a security issue as content editors will be able to upload potentially dangerous files.
Also if you have allowed front end users to upload files to assets they could also upload potential dangerous files.