From 299131ed22c1afafe52136494e42acb11e270435 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Thu, 26 Apr 2018 15:37:50 +1200 Subject: [PATCH] [ss-2018-012] File security documentation --- .../14_Files/03_File_Security.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/en/02_Developer_Guides/14_Files/03_File_Security.md b/docs/en/02_Developer_Guides/14_Files/03_File_Security.md index 69f9de238..0e5201866 100644 --- a/docs/en/02_Developer_Guides/14_Files/03_File_Security.md +++ b/docs/en/02_Developer_Guides/14_Files/03_File_Security.md @@ -348,6 +348,24 @@ RewriteRule .* ../index.php [QSA] You will need to ensure that your core apache configuration has the necessary `AllowOverride` settings to support the local .htaccess file. +Although assets have a 404 handler which routes to a PHP handler, .php files within assets itself +should not be allowed to be marked as executable. + +When securing your server you should ensure that you protect against both files that can be uploaded as +executable on the server, as well as protect against accidental upload of `.htaccess` which bypasses +this file security. + +For instance your server configuration should look similar to the below: + +``` + + php_admin_flag engine off + +``` + +The `php_admin_flag` will protect against uploaded `.htaccess` files accidentally re-enabling script +execution within the assets directory. + #### Configuring Web Server: Windows IIS 7.5+ Configuring via IIS requires the Rewrite extension to be installed and configured properly.