Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.htaccess file in /tmp/ is automatically deleted #6

Open
catharsis71 opened this issue Oct 3, 2022 · 4 comments
Open

.htaccess file in /tmp/ is automatically deleted #6

catharsis71 opened this issue Oct 3, 2022 · 4 comments

Comments

@catharsis71
Copy link

I tried to put a .htaccess file in the /tmp/ directory however the potiboard.php keeps deleting it when it checks for older files in the /tmp/ directory

even if the ownership of the file is set to root, it still deletes it

.htaccess files should probably not be included in the automatic deletion
@satopian
Copy link
Owner

satopian commented Oct 4, 2022

@catharsis71 Why is .htaccess needed in tmp?
If you want to hide files with the extension .dat, there is already a .htaccess file with that description in the upper directory.

<files ~ "(^config\.php$|\.(ini|log|dat|json)$)">
	order allow,deny
	deny from all
</files>

If you want to control something other than .dat files, could you tell me how you wanted to set it up?
Or is the .dat file control not working?

It's technically possible to modify potiboard.php so that it doesn't delete the .htaccess in the tmp directory, but I'd like to understand why this is necessary before proceeding.
thank you.

@catharsis71
Copy link
Author

I use .htaccess in different directories for various purposes but in this specific case I use Options +Indexes because I want directory listing to be enabled in that directory. I use the same .htaccess file in /tmp/, /src/, and /thumb/ because I want directory listing enabled for all of them however the .htaccess file in /tmp/ keeps getting deleted

satopian added a commit that referenced this issue Oct 9, 2022
@satopian
#6 Exclude .htaccess files in TEMP_DIR from automatic deletion.
ba838df
@satopian
Copy link
Owner

satopian commented Oct 9, 2022

Supported in v5.28.0.
.htaccess files are not deleted.

@satopian satopian closed this as completed Oct 9, 2022
@satopian
Copy link
Owner

satopian commented Oct 9, 2022
edited
Loading

sorry.
It is not supported from the viewpoint of unauthorized upload prevention of .htaccess file.
Various files are temporarily uploaded to the tmp directory.
Malicious files are checked. For example, check the file extension and file format. But I don't know what kind of illegal upload methods are there.
The src directory, like the tmp directory, is also where uploaded files are stored, so you can't program it to expect .htaccess files to be placed there.
I don't want to put a .htaccess file somewhere where files are uploaded. This is because unapproved .htaccess files can be used for redirection.

ba838df

function deltemp(){
	$handle = opendir(TEMP_DIR);
	while ($file = readdir($handle)) {
		if(!is_dir($file) && $file!=='.htaccess') {

Please rewrite the .htaccess file by yourself so as not to delete it.
I am sorry that I did not meet your expectations.

@satopian satopian reopened this Oct 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@satopian @catharsis71