search

satopian / poti-kaini-EN

POTI-board EVO English ver, The OekakiBBS for PaintBBS NEO, tegaki.js, ChickenPaint, and Klecks. (PHP7.4-PHP8.3) https://paintbbs.sakura.ne.jp/poti/
https://paintbbs.sakura.ne.jp/
Other
28 stars 9 forks source link

.htaccess file in /tmp/ is automatically deleted #6

Open catharsis71 opened 1 year ago

catharsis71 commented 1 year ago

I tried to put a .htaccess file in the /tmp/ directory however the potiboard.php keeps deleting it when it checks for older files in the /tmp/ directory

even if the ownership of the file is set to root, it still deletes it

.htaccess files should probably not be included in the automatic deletion

satopian commented 1 year ago

@catharsis71 Why is .htaccess needed in tmp? If you want to hide files with the extension .dat, there is already a .htaccess file with that description in the upper directory.

<files ~ "(^config\.php$|\.(ini|log|dat|json)$)">
    order allow,deny
    deny from all
</files>

If you want to control something other than .dat files, could you tell me how you wanted to set it up? Or is the .dat file control not working?

It's technically possible to modify potiboard.php so that it doesn't delete the .htaccess in the tmp directory, but I'd like to understand why this is necessary before proceeding. thank you.

catharsis71 commented 1 year ago

I use .htaccess in different directories for various purposes but in this specific case I use Options +Indexes because I want directory listing to be enabled in that directory. I use the same .htaccess file in /tmp/, /src/, and /thumb/ because I want directory listing enabled for all of them however the .htaccess file in /tmp/ keeps getting deleted

satopian commented 1 year ago

Supported in v5.28.0. .htaccess files are not deleted.

satopian commented 1 year ago

sorry. It is not supported from the viewpoint of unauthorized upload prevention of .htaccess file. Various files are temporarily uploaded to the tmp directory. Malicious files are checked. For example, check the file extension and file format. But I don't know what kind of illegal upload methods are there. The src directory, like the tmp directory, is also where uploaded files are stored, so you can't program it to expect .htaccess files to be placed there. I don't want to put a .htaccess file somewhere where files are uploaded. This is because unapproved .htaccess files can be used for redirection.

https://github.com/satopian/poti-kaini-EN/commit/ba838df492cf3cbdf77b283751b753dfb2c01ee6

function deltemp(){
    $handle = opendir(TEMP_DIR);
    while ($file = readdir($handle)) {
        if(!is_dir($file) && $file!=='.htaccess') {

Please rewrite the .htaccess file by yourself so as not to delete it. I am sorry that I did not meet your expectations.