disable file uploads

Robert Paprocki rpaprocki at fearnothingproductions.net
Tue Mar 24 02:57:07 UTC 2015


Sounds like you either have a vulnerable web application or hole in your systems security. If the root of your problem is that your having content uploaded to your server without your consent, you're asking the wrong question. 

If your app does allow for arbitrary file upload, you can disallow certain file extensions, but that should be handled in whatever Wordpress plugin you're using. 

> On Mar 23, 2015, at 18:15, Steve Holdoway <steve at greengecko.co.nz> wrote:
> 
>> On Tue, 2015-03-24 at 00:00 +0000, Francis Daly wrote:
>>> On Tue, Mar 24, 2015 at 12:47:38PM +1300, Steve Holdoway wrote:
>>>> On Mon, 2015-03-23 at 22:52 +0000, Francis Daly wrote:
>>>> On Tue, Mar 24, 2015 at 09:13:50AM +1300, Steve Holdoway wrote:
>> 
>> Hi there,
>> 
>>>>> Is there any way to stop / disable random file uploads... for example,
>>>>> I'm having 'fun' with mail relays being uploaded to the cache area of a
>>>>> wordpress site?
>>>> 
>>>> What the difference between a request that is a file upload and a request
>>>> that is not a file upload, on your system?
>> 
>>>        # set the static ones first, then the catchall
>>>        # Directives to send expires headers and turn off 404 error
>>> logging.
>>>        location ~* ^/(?:uploads|files|cache|plugins)/.*\.(png|gif|jpg|
>>> jpeg|css|js|swf|ico|txt|xml|bmp|pdf|doc|docx|ppt|pptx|zip|woff|ttf|otf|
>>> xls|myo|qbb|pst|dat|qbx|bc7|cf7)$ {
>>>                expires 24h;
>>>                log_not_found off;
>>>        }
>> 
>> For requests that match this location block, serve from the filesystem.
>> 
>>>        location ~* ^/wp-content/(files|uploads|cache|plugins)/.*.(|php|
>>> js|swf)$ {
>>>                types { }
>>>                default_type text/plain;
>>>        }
>> 
>> For requests that match this location block, serve from the filesystem.
>> 
>> None of that seems to say "handle file uploads".
>> 
>> I confess I'm somewhat confused about what your question is.
>> 
>> What request do you make of nginx, that does not give you the response
>> that you want?
>> 
>>    f
> Sorry, 
> 
> This is the best block I can find, where the intention is that php files
> are just served as text, not processed, which should be good and
> annoying for the users as well.
> 
> As I said, I can't work out how on earth to stop them being uploaded in
> the first place.
> 
> Steve
> 
> -- 
> Steve Holdoway BSc(Hons) MIITP
> http://www.greengecko.co.nz
> Linkedin: http://www.linkedin.com/in/steveholdoway
> Skype: sholdowa
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list